ci: add publish to npm workflow

[guyinwonder168]

Summary

• Add .github/workflows/publish.yml that triggers on GitHub Release published
• Runs build → typecheck → lint → test → npm publish --provenance --access public
• Uses Node 22 (matching CI), NPM_TOKEN secret for authentication
• Includes supply-chain attestation via --provenance + id-token: write

Setup required

1. Create an npmjs.com Automation token (Access Tokens → Automation)
2. Add it as NPM_TOKEN secret in repo Settings → Secrets
3. Create a GitHub Release to trigger the publish

Workflow

GitHub Release (published)
  → npm ci
  → npm run build
  → npm run typecheck
  → npm run lint
  → npm test
  → npm publish --provenance --access public

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (1 file)

• .github/workflows/publish.yml - No issues

Review Details

The new npm publish workflow looks good:

• Uses release: published trigger (appropriate for npm packages)
• Proper permissions (contents: read, packages: write, id-token: write)
• Node.js 22 with npm registry configuration
• Runs build, typecheck, lint, and tests before publishing
• Uses --provenance for supply chain security and --access public for publishing
• Properly references NPM_TOKEN secret

The package.json also has correct publishing configuration (publishConfig.access: public).

---

_{Reviewed by minimax-m2.5-20260211 · 103,064 tokens}