Restore release environment for npm trusted publishing

[kentcdodds]

Summary

• restore the production environment on the publish-authorized release job
• keep npm OIDC/id-token permissions scoped to the release job
• gate release artifact and publish jobs to semantic-release branches so feature-branch pushes do not request production deployment

Context

The failing release run reached @semantic-release/npm verification and npm rejected the OIDC exchange before falling back to an invalid placeholder token. The previous successful release workflow used the production environment, which is part of the npm trusted publishing identity when configured.

The first branch push for this fix also showed the hardened workflow was requesting the production environment on feature branches. The release jobs now skip non-release branches while preserving main, prerelease branches, next-major, and maintenance .x branches.

Testing

• npm ci --ignore-scripts
• npm run test -- --run
• npm run typecheck
• npm run build
• go run github.com/rhysd/actionlint/cmd/actionlint@latest .github/workflows/release.yml
• PR checks: test/typecheck passed; release artifact and release jobs skipped on the feature branch as expected