fix(release): automate npm releases from main

.github/workflows/publish.yml

@@ -1,18 +1,27 @@
 name: Publish to npm
 
 on:
-  release:
-    types: [published]
+  push:
+    branches: [main]
+  workflow_dispatch:
 
 jobs:
   publish:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
       id-token: write
+      issues: write
+      pull-requests: write
+
+    concurrency:
+      group: publish-${{ github.ref }}
+      cancel-in-progress: false
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -20,20 +29,18 @@ jobs:
           bun-version: latest
 
       - name: Install dependencies
-        run: bun install
+        run: bun install --frozen-lockfile
 
       - name: Run tests
         run: bun test
 
-      - name: Setup Node.js for npm publish
+      - name: Setup Node.js for release
         uses: actions/setup-node@v4
         with:
           # npm trusted publishing requires Node 22.14.0+.
           node-version: "24"
-          registry-url: "https://registry.npmjs.org"
 
-      - name: Publish to npm
-        # With npm trusted publishing configured, npm exchanges the GitHub OIDC
-        # token for a short-lived publish credential. No long-lived NPM token
-        # or manual OTP is required.
-        run: npm publish --access public
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npx semantic-release