chore(release): OIDC-based tag-triggered release workflow

[ssilvius]

Summary

• Adds .github/workflows/release.yml -- tag-triggered (v*) release workflow that publishes all 9 packages via npm OIDC trusted publishers. No npm tokens, anywhere.
• Adds RELEASING.md -- one-time trusted-publisher setup per package, release procedure, troubleshooting, and OIDC design notes.
• Mirrors the cleaned-up pattern from `rafters-studio/rafters` after six fix commits' worth of hard-won lessons.

Why

The previous plan assumed token-based publishing via `~/.npmrc`. That path is dead -- modern npm publishing uses OIDC trusted publishers via GitHub Actions. The `rafters-studio/rafters` repo took six fix commits to stabilize OIDC publishing (`fix: remove registry-url to stop .npmrc blocking OIDC`, `fix: clear NODE_AUTH_TOKEN for npm OIDC publishing`, etc.). This PR lands the stabilized version for mail and documents every gotcha so the next agent does not repeat the same mistakes.

The workflow

```yaml
permissions:
id-token: write # required for OIDC exchange
contents: write # required to create GitHub release

on:
push:
tags: ['v*'] # tags are the only thing that ships
```

Key rules enforced by the workflow:

• No `registry-url` on `setup-node`. It writes a `.npmrc` with `_authToken=${NODE_AUTH_TOKEN}` that blocks OIDC.
• No `NODE_AUTH_TOKEN` env anywhere. Any value (including empty) short-circuits the OIDC exchange.
• `NPM_CONFIG_PROVENANCE=true` on the publish step triggers the OIDC trusted-publisher flow for every `npm publish` invocation.
• `pnpm changeset publish` iterates all 9 packages and publishes each one with provenance.

The one-time setup

Before the first `0.1.0` release can succeed, every package needs a trusted publisher configured on npmjs.org. This is per-package and must be done before the first publish of each of:

• `@rafters/mail`, `@rafters/mail-resend`, `@rafters/mail-cloudflare`, `@rafters/mail-react-email`, `@rafters/mail-workers-ai`, `@rafters/better-auth-resend`, `@rafters/mail-imap`, `@rafters/mail-imap-cloudflare`, `@rafters/mail-imap-server`

Trusted publisher config per package:

• Publisher: GitHub Actions
• Owner: `rafters-studio`
• Repo: `mail`
• Workflow filename: `release.yml`
• Environment: (blank)

Step-by-step with the pending-publisher flow for brand-new packages is in `RELEASING.md`.

Release procedure

Once trusted publishers are configured:

```bash
git checkout main && git pull
pnpm changeset version # consume changesets, bump versions
git add . && git commit -m "chore(release): 0.1.0"
git tag v0.1.0
git push origin main --tags # tag push triggers workflow
```

RELEASING.md content

• One-time setup -- npm trusted-publisher configuration per package with exact fields
• Release procedure -- copy-pasteable bash for cutting a release
• Troubleshooting -- 5 common OIDC failure modes with diagnoses (401, 403, EBADENGINE, OIDC token expired, CI gate failures)
• OIDC design notes -- explicit do/don't list with reasoning

Test plan

• Workflow YAML is valid -- written against the actions/setup-node@v4, pnpm/action-setup@v4, actions/checkout@v4 contracts
• Mirrors the stabilized rafters pattern after its 6 fix commits
• `legion-simplify` gate: clean
• Format check: clean
• End-to-end verification requires the one-time trusted-publisher setup on npmjs.org (out of scope for this PR -- tracked in RELEASING.md)

Co-dependencies

• chore(imap): add tsup build pipeline to imap, imap-cloudflare, imap-server #73 (tsup build pipeline) -- needs to merge first so the 3 IMAP packages have `dist/` to publish
• docs(readme): add IMAP packages to package list and status table #74 (README package table update) -- parallel doc fix, no ordering dependency
• This PR (chore(release): OIDC-based tag-triggered release workflow #75) -- release workflow plus the docs