ci(npm): publish on version tags

- Add GitHub Actions workflow for tag releases (vX.Y.Z) and guard against tag/version mismatch
- Support npm Trusted Publishing (OIDC) with NPM_TOKEN fallback
- Add package-lock.json for deterministic npm ci in CI
- Exclude .github/ from npm package tarball and document automated releases

Author: jian-mo

.github/workflows/npm-publish.yml

@@ -0,0 +1,56 @@
+# Input — GitHub Actions runner, npm registry, git tags
+# Output — Publishes `dagain` package to npm on version tags
+# Position — CI/CD workflow; if this file changes, update this header and folder Markdown.
+
+name: Publish to npm
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+  workflow_dispatch: {}
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24
+          cache: "npm"
+
+      - name: Install
+        run: npm ci --no-audit --no-fund
+
+      - name: Test
+        run: npm test
+
+      - name: Verify tag matches package.json version
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: |
+          TAG="${GITHUB_REF_NAME#v}"
+          PKG="$(node -p "require('./package.json').version")"
+          echo "tag=$TAG pkg=$PKG"
+          if [ "$TAG" != "$PKG" ]; then
+            echo "::error::Tag ($TAG) does not match package.json version ($PKG)"
+            exit 1
+          fi
+
+      - name: Publish (npm Trusted Publishing)
+        if: ${{ secrets.NPM_TOKEN == '' }}
+        run: npm publish --provenance --access public
+
+      - name: Publish (npm token)
+        if: ${{ secrets.NPM_TOKEN != '' }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          npm config set //registry.npmjs.org/:_authToken "${NODE_AUTH_TOKEN}"
+          npm publish --provenance --access public

.npmignore

@@ -2,6 +2,7 @@
 .taskgraph/
 .choreo/
 .worktrees/
+.github/
 
 *.tgz
 GOAL.md

README.md

@@ -161,6 +161,27 @@ Then transfer via GitHub UI: **Settings → General → Transfer ownership**.
 
 ### npm + npx
 
+#### Automated publish (recommended)
+
+Publishing is automated via GitHub Actions on version tags (`vX.Y.Z`). The tag must match `package.json.version`.
+
+1) Configure npm Trusted Publishing (OIDC) for `knot0-com/dagain` and workflow filename `npm-publish.yml` (npmjs.com → package Settings → Trusted Publisher).
+
+2) Cut a release:
+
+```bash
+npm version patch
+git push --follow-tags
+```
+
+3) Verify:
+
+```bash
+npx dagain --help
+```
+
+#### Manual publish
+
 1) Ensure you’re logged in:
 
 ```bash