ci(workflow): refine npm publish workflow with OIDC diagnostics

- Add `packages: write` permission for npm OIDC authentication.
- Split steps into clearly named tasks: install, build, verify OIDC, and publish.
- Introduce an optional `whoami` diagnostic step to verify OIDC setup without failing the job.

Author: z0ffy

.github/workflows/npm-publish.yml

@@ -7,6 +7,7 @@ on:
 permissions:
   id-token: write
   contents: read
+  packages: write
 
 jobs:
   publish:
@@ -26,5 +27,17 @@ jobs:
           registry-url: https://registry.npmjs.org
           cache: 'pnpm'
 
-      - run: pnpm install
-      - run: pnpm run build && pnpm publish --provenance --access public --no-git-checks
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Build
+        run: pnpm run build
+
+      - name: Verify OIDC authentication (diagnostic)
+        # If OIDC trust is configured on npm this should print the npm username.
+        # Keep permissive so it won't fail the job if whoami doesn't return.
+        run: |
+          npm whoami || pnpm whoami || true
+
+      - name: Publish to npm (via OIDC)
+        run: pnpm publish --provenance --access public --no-git-checks