ci(publish): Enable npm provenance and harden package scripts

- Add registry-url to setup-node step so NODE_AUTH_TOKEN is set automatically
- Switch npm publish to --provenance for signed, verifiable package releases
- Consolidate preinstall/postinstall/prepare into a single prepare script
- Add || true guard so simple-git-hooks does not fail in CI environments

Author: libraz

.github/workflows/publish.yml

@@ -19,6 +19,7 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: '22'
+          registry-url: 'https://registry.npmjs.org'
 
       - run: npm install -g npm@latest
       - run: corepack enable
@@ -56,9 +57,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - run: npm publish --access public --provenance
 
   python-wheels:
     strategy:

package.json

@@ -19,9 +19,7 @@
   ],
   "sideEffects": false,
   "scripts": {
-    "preinstall": "npx only-allow yarn",
-    "postinstall": "simple-git-hooks",
-    "prepare": "simple-git-hooks",
+    "prepare": "simple-git-hooks || true",
     "build": "yarn build:wasm && yarn build:js",
     "build:wasm": "emcmake cmake -B build-wasm -DBUILD_WASM=ON && cmake --build build-wasm",
     "build:js": "tsc",