Fix npm trusted publishing workflows

[rtbenfield]

Restores the publish workflows to the npm CLI path required for npm trusted publishing while keeping pnpm for repo setup and package preparation.

Changes

• Publish workflows: Use Node 24 and configure the npm registry through setup-node for the CLI and Compute publish jobs.
• Release publishing: Switch final package publication back to npm publish so npm can perform the trusted-publisher OIDC authentication flow.
• Documentation: Record the npm publish exception in AGENTS.md and update the publishing ADR command example.

Why

npm trusted publishing is implemented by the npm CLI OIDC exchange. Keeping pnpm for install, versioning, and pack validation is fine, but the final publish step needs npm publish to avoid falling back to unauthenticated registry publishing.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1fcb93da-9463-4537-a39a-31f8cc9c6f00

📥 Commits

Reviewing files that changed from the base of the PR and between 333f5e3 and 427c783.

📒 Files selected for processing (4)

• .github/workflows/publish-cli.yml
• .github/workflows/publish-compute.yml
• AGENTS.md
• docs/architecture/adrs/0001-preview-package-and-publishing.md

---

Summary by CodeRabbit

• Chores
  • Updated package publishing workflows to use npm publish for enhanced authentication and security via OIDC.
  • Updated Node.js version to 24 across publishing pipelines.
  • Updated documentation to reflect publishing workflow improvements.

Walkthrough

This PR migrates npm package publishing workflows from pnpm publish to npm publish across two release workflows: publish-cli.yml and publish-compute.yml. The Node.js setup in both workflows is updated to explicitly specify Node.js 24 and configure the npm registry URL, replacing the prior .node-version file-based resolution. The --provenance flag is retained for both dev and official releases, and the --no-git-checks flag previously used with pnpm is removed. Supporting documentation in AGENTS.md and the architecture ADR are updated to reflect the new publishing approach for OIDC trusted publishing.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Fix npm trusted publishing workflows' is concise, specific, and clearly summarizes the main change—switching from pnpm to npm for the publish steps to enable OIDC authentication.
Description check	✅ Passed	The description is well-related to the changeset, clearly explaining what was changed (switching publish workflows to npm), why it matters (npm trusted publishing via OIDC), and providing specific details about affected files and rationale.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/npm-publish-oidc

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/npm-publish-oidc

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[rtbenfield]

@coderabbitai full review

[coderabbitai]

✅ Action performed

Full review finished.