ci: token-less npm publishing via OIDC Trusted Publishing

[ethanj]

What

Adds .github/workflows/publish.yml — token-less npm publishing for llm-wiki-compiler via OIDC Trusted Publishing, modeled on the AtomicMemory publish pipeline. No NPM_TOKEN.

How it works

• repository_dispatch (type llmwiki-package-release) is the primary trigger; workflow_dispatch is a manual fallback. Both take an explicit public_sha + version + publish payload.
• Checks out the exact public_sha (never branch HEAD), verifies package.json matches version, refuses to republish an existing version, runs release:check-docs:current + build + test + npm pack --dry-run, then npm publish --access public with id-token: write (provenance attached automatically). A final job asserts npm view … gitHead === public_sha.
• No required reviewers — the control point is the dispatch payload + guards, so a release can be triggered entirely from a script.

One-time setup before first use (account-level, not in this repo)

1. Configure the npm Trusted Publisher for llm-wiki-compiler: repo atomicstrata/llm-wiki-compiler, workflow publish.yml, environment npm-release.
2. The npm-release GitHub Environment is created on first reference; leave it without required reviewers (auto-publish, per design).

Triggering a release (after setup)

echo '{"event_type":"llmwiki-package-release","client_payload":{"public_sha":"<40-char-sha>","version":"<x.y.z>","publish":true}}' \\
  | gh api repos/atomicstrata/llm-wiki-compiler/dispatches --input -

This same mechanism can publish the already-tagged 0.11.0 (public_sha=7107fd7…, version=0.11.0) once the Trusted Publisher is configured.