fix(ci): avoid mutable npm CLI in publish workflow

[BunsDev]

Motivation

• The npm publish workflows installed an unpinned npm@latest immediately before npm publish --provenance, creating a supply-chain risk by executing a mutable registry-provided CLI in the trusted publishing path.

Description

• Remove the release-time npm install -g npm@latest step from .github/workflows/npm-publish.yml and replace it with a simple npm --version verification so the workflow uses the npm bundled with actions/setup-node@v6 (Node 24) instead.

Testing

• Ran rg -n "npm install -g npm@latest|npm@latest" .github/workflows || true and verified there are no remaining occurrences in the workflows and the npm publish --access public --provenance publish step is preserved.

---

Codex Task

[Copilot]

Pull request overview

This PR reduces supply-chain risk in the npm publishing pipeline by removing a release-time installation of an unpinned npm@latest, ensuring the workflow uses the npm that ships with the Node.js toolchain provisioned by actions/setup-node@v6.

Changes:

• Removed npm install -g npm@latest from the publish workflow.
• Replaced the npm setup step with a simple npm --version verification step while preserving npm publish --provenance.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[BunsDev]

Closing this in favor of #24.

The mutable npm@latest removal from this PR has been folded into #24 in commit 8d126b0, alongside the manual publish provenance hardening. Keeping the workflow fixes together avoids the merge conflict between the two PRs in .github/workflows/npm-publish.yml.