ci: fix npm upgrade in publish job + add workflow_dispatch fallback (#3)

`npm install -g npm@latest` is broken on Node 22.22.2's bundled npm
(missing 'promise-retry'), which broke the 0.1.3 publish. Switch to
`npx -y npm@11.5.2 publish` — pinned for Trusted Publisher OIDC, no
broken global install needed.

Also add a workflow_dispatch trigger with a `tag` input so a publish
can be re-run for an existing tag (e.g. v0.1.3) when CI flaked,
without having to bump versions.

Author: ktamas77

.github/workflows/release.yml

@@ -3,6 +3,11 @@ name: Release
 on:
   push:
     branches: [main]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Existing release tag to publish (e.g. v0.1.3). Used when a previous publish failed.'
+        required: true
 
 permissions:
   contents: write
@@ -11,6 +16,7 @@ permissions:
 
 jobs:
   release-please:
+    if: ${{ github.event_name == 'push' }}
     runs-on: ubuntu-latest
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
@@ -23,23 +29,26 @@ jobs:
 
   publish:
     needs: release-please
-    if: ${{ needs.release-please.outputs.release_created == 'true' }}
+    if: ${{ always() && (needs.release-please.outputs.release_created == 'true' || github.event_name == 'workflow_dispatch') }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
       id-token: write
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ needs.release-please.outputs.tag_name }}
+          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || needs.release-please.outputs.tag_name }}
       - uses: actions/setup-node@v4
         with:
           node-version: '22.x'
           registry-url: 'https://registry.npmjs.org'
           cache: npm
-      - run: npm install -g npm@latest
       - run: npm ci
       - run: npm run lint
       - run: npm run typecheck
       - run: npm run build
-      - run: npm publish --provenance --access public
+      # Trusted Publisher OIDC needs npm >= 11.5.1. Node 22's bundled npm
+      # is 10.x, and `npm install -g npm@latest` is currently broken on
+      # 22.22.2 (missing 'promise-retry'). Use npx to invoke a known-good
+      # npm version just for the publish step.
+      - run: npx -y npm@11.5.2 publish --provenance --access public