feat: add GitHub Actions workflow for npm publishing (#2)

- Add .github/workflows/publish.yml triggered on v* tags
- Add files array to package.json for explicit npm publish contents
- Uses npm provenance for supply chain security
- Requires NPM_TOKEN secret in repository

Author: wagnert

.github/workflows/publish.yml

@@ -0,0 +1,29 @@
+name: Publish to npm
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    
+    permissions:
+      contents: read
+      id-token: write
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Publish to npm
+        run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package.json

@@ -20,6 +20,10 @@
       "import": "./lib/schema.js"
     }
   },
+  "files": [
+    "bin/",
+    "lib/"
+  ],
   "repository": {
     "type": "git",
     "url": "https://github.com/techdivision/opencode-cli.git"