ci: harden trusted publish workflow

[JoviDeCroock]

Summary

• Explicitly disables setup-node package-manager auto-caching in the trusted publishing workflow.
• Removes existing publish-workflow dependency cache usage where present.
• Pins external GitHub Actions in the trusted publish workflow to full commit SHAs, keeping the original tag as a comment breadcrumb.
• Adds CODEOWNERS for GitHub configuration changes.

Why

Trusted publishing/OIDC workflows should not restore shared dependency caches, and tag-based action references can be retargeted after compromise. The StepSecurity advisory for actions-cool/issues-helper is the concrete failure mode: tags were moved to an imposter commit, while full-SHA pinned workflows were unaffected.

CODEOWNERS makes future .github/ changes route to an explicit owner for review.

Verification

• Rebases cleanly on main.
• Build & Test passes on the latest PR head.
• Parsed the edited workflow YAML locally with PyYAML.
• Re-scanned release workflow uses: entries and confirmed all external actions are pinned to 40-character commit SHAs.
• Confirmed no release workflow dependency cache remains: no actions/cache@, no setup-node cache:, and setup-node has package-manager-cache: false.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 898796a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR