ci: add npm provenance to release publishing

[joelhooks]

Summary

• adds least-privilege release workflow permissions
• grants OIDC id-token: write for npm provenance
• enables npm provenance for Changesets publish via NPM_CONFIG_PROVENANCE=true

Verification

• parsed workflow YAML locally with Ruby YAML.load_file

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
scriptkit	Ready	Preview, Comment	May 21, 2026 6:27am

[shitratgit]

Pushed bd246fb8ddd4909ae956d4087cf6b922e6456372 after CI exposed existing @skillrecordings/skill-api type/build drift.

Fixes:

• Cast mjml2html(...) result where the current type can be async.
• Add explicit any annotations for the NextAuth adapter callback params that were failing noImplicitAny.

The provenance workflow change itself is still tiny; this just gets the repo's existing build back through the gate instead of letting unrelated type drift block the hardening PR.

[shitratgit]

Current state: the hardening branch itself now has Lint and Test green after fixing the existing skill-api type drift exposed by CI.

Holding merge because Vercel reports a failed deployment check:

Vercel fail: Deployment has failed
Lint and Test pass

This PR only touches the release workflow plus two type fixes needed to get CI green. I’m not merging across a red Vercel check without either logs proving it is unrelated or explicit approval to treat the Vercel deployment as non-blocking for this repo.