feat: add npm OIDC Trusted Publisher support

[azu]

Summary

This PR adds npm OIDC (OpenID Connect) Trusted Publisher support for secure package publishing. It eliminates the need for long-lived NPM_TOKEN secrets and enables provenance attestation for all published packages.

Changes

• Add release.yml workflow with OIDC authentication (3-job structure: check, release, comment)
• Add create-release-pr.yml for automated release PR creation via workflow_dispatch
• Add check-provenance.yml for monitoring OIDC configuration status across packages
• Add CODEOWNERS file to protect critical workflow files
• Update lerna from v7 to v9 (required for OIDC provenance support)
• Update existing workflows with security improvements:
  • Bump actions to v4 with SHA pinning
  • Add persist-credentials: false to all checkouts
  • Add explicit permissions blocks
  • Update Node.js test matrix to 20/22

Breaking Changes

None

Test Plan

After merging, the following manual steps are required:

1. Create GitHub Environment "npm" at Settings → Environments
2. Configure npm Trusted Publisher for each @kvs/* package:
   • Repository: azu/kvs
   • Workflow: .github/workflows/release.yml
   • Environment: npm
3. Run gh workflow run check-provenance.yml to verify OIDC status
4. Test release flow by running Create Release PR workflow

[github-actions]

NPM Package Status

Published Packages Missing OIDC Configuration

Configure OIDC for these packages:

• @kvs/common-test-case
• @kvs/env
• @kvs/indexeddb
• @kvs/localstorage
• @kvs/memorystorage
• @kvs/node-localstorage
• @kvs/storage
• @kvs/storage-sync
• @kvs/types

Setup Instructions:

1. Click each package link above
2. Click "Add trusted publisher"
3. Configure with:
   • Repository: azu/kvs
   • Workflow: .github/workflows/release.yml
   • Environment: npm

[github-actions]

size-limit report 📦

Path	Size
packages/env/module/browser.js	1.16 KB (0%)
packages/indexeddb/module/index.js	1.15 KB (0%)
packages/localstorage/module/index.js	860 B (0%)