Fix trailer-codec release publishing

[flyingrobots]

Summary

• upgrade npm in the tag publish workflow before publishing
• publish with npm provenance/OIDC
• add a manual recovery workflow for already-pushed release tags like v3.0.4

Validation

• ruby -e 'require "yaml"; ARGV.each { |path| YAML.load_file(path); puts "ok #{path}" }' .github/workflows/publish.yml .github/workflows/recover-release.yml
• npm run lint
• npm test
• git diff --check

Refs #3

Summary by CodeRabbit

• New Features

  • Added a manual “Recover Release” workflow to recreate a release from a provided tag, including publishing the package if needed and generating release notes.
  • Updated the publishing workflow to include provenance information during package publication.

• Bug Fixes

  • Adjusted the publishing setup to use a supported Node.js version and updated npm for improved release reliability.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

The publish workflow now uses Node 20, upgrades npm to 11.5.1, and publishes with provenance. A new manual recovery workflow checks a tag against package.json, republishes missing npm releases, and creates a GitHub Release.

Changes

Release workflow updates

Layer / File(s)	Summary
Publish provenance update .github/workflows/publish.yml	The publish job switches to Node 20, upgrades npm to 11.5.1, and publishes with --provenance.
Recover release workflow .github/workflows/recover-release.yml	A manual workflow checks the requested tag, verifies it against package.json, republishes missing npm versions with provenance, and creates a GitHub Release.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

A bunny hops through release night bright,
With Node and npm aligned just right.
Tags match, releases gleam,
Provenance on the stream,
Hop-hop—ship it to the light 🐇

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: fixing trailer-codec release publishing.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/release-publish-oidc

---

_{Comment @coderabbitai help to get the list of available commands.}