ci: migrate to OIDC trusted publishing, add workflow_dispatch for prerelease testing (#125)

- Remove NPM_TOKEN / NODE_AUTH_TOKEN — publish now uses OIDC trusted
  publishing (no secrets needed)
- Add workflow_dispatch trigger with prerelease checkbox: publishes to
  alpha dist-tag so we can verify OIDC works without touching latest
- Drop --provenance flag (included automatically with trusted publishing)

The release event path still publishes to latest as before; the only
change is the auth mechanism.

To test: bump version to x.y.z-alpha.0 on a branch, then run workflow
with prerelease checked.

Author: pcarleton

.github/workflows/ci.yml

@@ -5,6 +5,12 @@ on:
   pull_request:
   release:
     types: [published]
+  workflow_dispatch:
+    inputs:
+      prerelease:
+        description: 'Publish as prerelease (alpha tag). Version must already be bumped in package.json on the branch.'
+        type: boolean
+        default: false
 
 permissions:
   contents: read
@@ -31,7 +37,7 @@ jobs:
 
   publish:
     runs-on: ubuntu-latest
-    if: github.event_name == 'release'
+    if: github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && github.event.inputs.prerelease == 'true')
     environment: release
     needs: [test]
 
@@ -48,6 +54,11 @@ jobs:
           registry-url: 'https://registry.npmjs.org'
 
       - run: npm ci
-      - run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Publish to npm
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            npm publish --access public --tag alpha
+          else
+            npm publish --access public
+          fi