fix(ci): bump publish workflow to Node 24 for npm 11.5+ OIDC support

[I4cTime]

Summary

CI-only hotfix. Bumps actions/setup-node node-version from 22 to 24 in .github/workflows/publish.yml so the runner ships an npm CLI that supports OIDC trusted publishing.

Why

npm's trusted publishing docs require:

Trusted publishing requires npm CLI version 11.5.1 or later and Node version 22.14.0 or higher.

Node 22 in setup-node@v4 ships npm 10.x, which the registry silently rejects with a misleading E404 Not Found - PUT https://registry.npmjs.org/@i4ctime%2fq-ring instead of the documented ENEEDAUTH. This is exactly what blocked the v0.10.1 publish (runs 24920121657, 24920570275, 24920684561) even after the OIDC Trusted Publisher was added on npmjs.com — the provenance statement was successfully signed and uploaded to Sigstore each time, but npm's exchange endpoint refused the older client.

Node 24 bundles npm 11.6.x, well above the 11.5.1 floor, so we can also keep the npm install -g npm@latest step removed (which had been crashing with Cannot find module 'promise-retry').

Scope

• No source changes — only .github/workflows/publish.yml
• No version bump — v0.10.1 stays the published target; we'll re-dispatch the workflow against the existing tag once this lands

Follow-up

After merge:

1. gh workflow run publish.yml --ref main -f ref=v0.10.1
2. Confirm npm view @i4ctime/q-ring version flips from 0.9.8 → 0.10.1
3. Confirm MCP Registry publish step succeeds

Test plan

• Workflow syntactically valid (YAML parses)
• Re-dispatched workflow completes the Publish to npm step (verified post-merge)
• npm view @i4ctime/q-ring versions includes 0.10.1

Made with Cursor