ci: add npm publish workflow

[BenKalsky]

Summary

• Adds a manual npm publish workflow using GitHub Actions secret NPM_TOKEN
• Checks out sumit-api as the local peer used by the current lockfile
• Runs typecheck, tests, build, and npm pack before publish
• Publishes scoped package with --access public

Test Plan

• corepack pnpm test
• corepack pnpm typecheck
• corepack pnpm build
• npm pack --dry-run

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 05e47ec92a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Pin sumit-api checkout to a deterministic ref

This checkout omits ref, so actions/checkout will pull the secondary repo’s default branch instead of a revision tied to the sumit-react release being published. That makes publishes non-reproducible: running this workflow for an older branch/tag can build against a newer sumit-api state and fail (or produce a package validated against the wrong peer code). Set ref explicitly (for example to an input or known tag/sha) so release behavior is stable.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Restrict publish step to protected release refs

The workflow publishes unconditionally once it reaches this step, and workflow_dispatch runs can be launched on arbitrary branches/tags from the UI/API. Without a ref guard (or environment protection), a maintainer can accidentally publish a feature branch build to npm. Add a branch/tag condition (for example only main or release tags) before executing npm publish.

Useful? React with 👍 / 👎.