ci: use --frozen-lockfile in the publish version bump

The publish workflow ran a plain `pnpm i` before `pnpm version patch`.
If the lockfile was even slightly out of sync with package.json (easy
to happen when a dependency bump is merged via PR), that install
updated pnpm-lock.yaml and left the working tree dirty. `pnpm version
patch` silently declines to create a git tag in a dirty tree but
still writes the new version into package.json, and the subsequent
`git push --atomic <branch> vX.Y.Z` fails with:

  error: src refspec vX.Y.Z does not match any

— blocking the publish. Using `--frozen-lockfile` keeps the tree
clean; if the lockfile really is out of sync, the install fails
loudly (which is what we want — the fix is to update the lockfile in
a PR, not silently during publish).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: JohnMcLear

.github/workflows/npmpublish.yml

@@ -59,7 +59,7 @@ jobs:
           [ "${NEW_COMMITS}" -gt 0 ] || exit 0
           git config user.name 'github-actions[bot]'
           git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
-          pnpm i
+          pnpm i --frozen-lockfile
           # `pnpm version patch` bumps package.json, makes a commit, and creates
           # a `v<new-version>` tag. Capture the new tag name from package.json
           # rather than parsing pnpm's output, which has historically varied.