Fix npm publish workflow for trusted publishing

[Shigoto-dev19]

Cloeses https://github.com/o1-labs/o1js-site/issues/3.
Sibling of PR #142.

Summary

• Remove registry-url from actions/setup-node: it generates an .npmrc that conflicts with npm's OIDC trusted publishing authentication

• Add --provenance to npm publish: signs the package with a build attestation linking it to this repo and workflow

• Add workflow_dispatch trigger: allows manual publishes from the GitHub Actions UI

• NOTE:

  • This PR does everything as PR #142 . However fix: release workflow #142 didn't add --provenance. Without it, the id-token: write permission is set up but never actually used. The OIDC token gets requested but npm publish doesn't attach it as a signed attestation to the package. So it's a fix on top of what PR fix: release workflow #142 had.

Publishing process

Pre-release steps

1. Bump the version in package.json (e.g. npm version patch / minor / major)
2. Commit the version bump
3. Tag the commit: git tag v<version> (e.g. git tag v0.1.0)
4. Push both: git push origin main --tags

The workflow triggers automatically on the v* tag push. It will:

1. Install dependencies (npm ci)
2. Build the package (npm run build)
3. Run tests (npm test)
4. Publish to npm with provenance attestation

Alternatively, you can trigger the workflow manually from the Actions tab using "Run workflow" on any branch.

Prerequisites

• npm trusted publishing must be configured for this package on npmjs.com, linking it to this GitHub repo (already done by Leon)
• The version in package.json must not already be published on npm

Test plan

• Trigger workflow manually via workflow_dispatch to verify it authenticates and publishes correctly
• Verify the published package on npmjs.com shows provenance information