fix release: update PyPI action SHA, add npm provenance permissions

- Update pypa/gh-action-pypi-publish to v1.13.0 (old SHA was invalid)
- Add permissions (id-token: write) to npm-publish job for provenance
- Configure git HTTPS to fix SSH permission denied during npm provenance

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mikolalysenko

.github/workflows/release.yml

@@ -187,12 +187,18 @@ jobs:
   npm-publish:
     needs: [sync-and-tag, build]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           ref: v${{ needs.sync-and-tag.outputs.version }}
 
+      - name: Configure git for HTTPS
+        run: git config --global url."https://github.com/".insteadOf "ssh://git@github.com/"
+
       - name: Download all artifacts
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
@@ -283,6 +289,6 @@ jobs:
         run: python -m build pypi/socket-patch
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b54a752e1b56a22940bc7640 # v1.12.4
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           packages-dir: pypi/socket-patch/dist/