chore: configure npm trusted publishing

[3w36zj6]

cf. https://efcl.info/2025/09/07/npm-oidc/

[Copilot]

Pull request overview

This PR configures npm trusted publishing using OpenID Connect (OIDC) authentication, enhancing security by eliminating the need for long-lived NPM_TOKEN secrets. The changes also improve GitHub Actions security posture by pinning actions to commit SHAs, adding explicit permission controls, and introducing automated security linting tools.

Key changes:

• Migrated npm publishing from token-based authentication to OIDC trusted publishing
• Pinned all GitHub Actions to specific commit SHAs for supply chain security
• Added GitHub Actions security linting tools (actionlint, ghalint, zizmor) with toolchain configuration

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
.tool-versions	Added security linting tools (pinact, zizmor, actionlint, ghalint) and reformatted for better alignment
.github/workflows/publish.yaml	Configured OIDC permissions, pinned actions to commit SHAs, removed NPM_TOKEN secret dependency, added timeouts and security settings
.github/workflows/ci.yaml	Pinned actions to commit SHAs, added explicit permissions, timeouts, persist-credentials: false, and new github-actions security linting job

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The provenance option should be explicitly set to true when using npm trusted publishing with OIDC. Add 'provenance: true' to the npm publish command to ensure package provenance is generated and published.

Suggested change

	- run: npm publish
	- run: npm publish --provenance

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.