Add npm trusted publishing workflow

Add GitHub Actions workflow for npm trusted publishing via OIDC.

The workflow validates package version bumps on PRs with npm publish dry-runs, publishes changed workspace packages from main-xahau, and creates matching GitHub releases. Shared npm publish logic is implemented as a local composite action used by both dry-run and publish jobs.

.github/workflows/scripts/check-npm-version-unpublished.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+package_spec="$1"
+stderr_file="$(mktemp)"
+
+if npm view "$package_spec" version --registry "https://registry.npmjs.org" 2>"$stderr_file"; then
+  echo "$package_spec is already published." >&2
+  exit 1
+fi
+
+if grep -Eq "E404|404 Not Found|is not in this registry" "$stderr_file"; then
+  echo "$package_spec is not published yet."
+  exit 0
+fi
+
+cat "$stderr_file" >&2
+exit 1

.github/workflows/scripts/check-package-version-changed.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+package_path="$1"
+package_file="$package_path/package.json"
+current_version="$(jq -r .version "$package_file")"
+changed="false"
+
+if [[ -z "${BASE_REF:-}" || "${BASE_REF:-}" =~ ^0+$ ]]; then
+  BASE_REF="HEAD^"
+fi
+
+if previous_package="$(git show "$BASE_REF:$package_file" 2>/dev/null)"; then
+  previous_version="$(jq -r .version <<<"$previous_package")"
+  if [[ "$current_version" != "$previous_version" ]]; then
+    changed="true"
+  fi
+else
+  changed="true"
+fi
+
+echo "changed=$changed" >> "$GITHUB_OUTPUT"
+echo "$package_path version changed: $changed"

.github/workflows/scripts/read-package-metadata.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+package_path="$1"
+package_file="$package_path/package.json"
+name="$(jq -r .name "$package_file")"
+version="$(jq -r .version "$package_file")"
+
+echo "name=$name" >> "$GITHUB_OUTPUT"
+echo "version=$version" >> "$GITHUB_OUTPUT"
+echo "tag=$name@$version" >> "$GITHUB_OUTPUT"