ci: switch to release-please for automated npm publishing via OIDC

Replace the release-on-published-Release workflow with release-please. On every
push to main, conventional commits drive a Release PR that bumps the version and
updates CHANGELOG.md. Merging the PR creates a tag + GitHub Release, and the
same workflow then runs lint/typecheck/build and publishes to npm with provenance.

Authentication uses npm Trusted Publisher (OIDC) — no NPM_TOKEN secret needed.

Reverts the manual 0.1.2 bump in package.json/package-lock.json so release-please
owns version management going forward.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: ktamas77

.github/workflows/release.yml

@@ -1,23 +1,44 @@
-name: Release to npm
+name: Release
 
 on:
-  release:
-    types: [published]
+  push:
+    branches: [main]
+
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
 
 jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+      tag_name: ${{ steps.release.outputs.tag_name }}
+    steps:
+      - uses: googleapis/release-please-action@v4
+        id: release
+        with:
+          release-type: node
+
   publish:
+    needs: release-please
+    if: ${{ needs.release-please.outputs.release_created == 'true' }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
       id-token: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.release-please.outputs.tag_name }}
       - uses: actions/setup-node@v4
         with:
           node-version: '20.x'
           registry-url: 'https://registry.npmjs.org'
           cache: npm
       - run: npm ci
+      - run: npm run lint
+      - run: npm run typecheck
+      - run: npm run build
       - run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}