ci(release): add GitHub Release creation and npm trusted publishing

[anmho]

Context

Release workflow was publishing to npm with a long-lived token and did not create a GitHub Release artifact page.

Summary

• grant contents: write + id-token: write in the release workflow
• verify tag version matches package.json on tag releases
• run npm pack during release
• create a GitHub Release with generated notes and attached .tgz
• remove NODE_AUTH_TOKEN / NPM_TOKEN dependency from npm publish
• pin GitHub Actions Node setup to 24 for trusted publishing
• add package.json.repository.url matching https://github.com/anmho/bluebubbles-cli

Validation

• bun run check
• confirmed workflow no longer references NODE_AUTH_TOKEN
• confirmed package.json.repository.url matches the GitHub repo

Follow-up After Merge

• configure npm Trusted Publisher for anmho/bluebubbles-cli using workflow file release.yml
• publish the next version from a v* tag to validate OIDC publish and provenance
• after the first successful OIDC publish, revoke the old npm publish token and disallow token-based publishing in npm package settings

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: aa2c5d71dd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Create GitHub release only after npm publish succeeds

On tag pushes, this step executes before Publish To npm, so a failing npm publish (for example, an expired NPM_TOKEN or an already-published version) still leaves behind a GitHub Release and attached tarball for a version that is not actually available on npm. Reordering release creation to run after successful publish (or explicitly gating it on publish success) avoids publishing misleading release artifacts.

Useful? React with 👍 / 👎.

[anmho]

Workspace cleanup update: the accidentally nested kalshi-cli repo has been moved out of bluebubbles-cli and now lives at https://github.com/anmho/kalshi-cli under the sibling project path /Users/andrewho/repos/projects/kalshi-cli.

This PR remains unchanged in scope: it only updates the BlueBubbles release workflow and is not affected by that repo move.