fix: bootstrap npm 11.5+ for OIDC trusted publishing

Bundled npm in Node 22.22.2 is both broken (missing promise-retry)
and too old (npm 10.x) for OIDC publishing which requires npm 11.5+.
Bootstrap by downloading the tarball directly, matching the approach
used in dbhub's workflow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tianzhou

.github/workflows/publish.yml

@@ -120,7 +120,16 @@ jobs:
         with:
           node-version: "22"
           cache: "pnpm"
-          registry-url: "https://registry.npmjs.org"
+
+      # Upgrade npm for OIDC trusted publishing (requires npm 11.5+)
+      # Bootstrap without npm since Node 22.22.2 ships with broken npm
+      - name: Upgrade npm
+        run: |
+          npm_tarball=$(curl -fsSL https://registry.npmjs.org/npm/latest | node -p "JSON.parse(require('fs').readFileSync(0,'utf8')).dist.tarball")
+          curl -fsSL "$npm_tarball" | tar xz -C /tmp
+          node /tmp/package/bin/npm-cli.js install -g npm@latest
+          rm -rf /tmp/package
+          echo "npm version: $(npm --version)"
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile