Address publish workflow review feedback

[jozefizso]

Summary

• skip npm publishing for GitHub prereleases so prerelease releases cannot publish the default latest dist-tag
• check whether the exact package version already exists on npm
• skip pack, attestation, artifact upload, and publish steps when the version is already published so workflow reruns are safe

Verification

• YAML parse for publish workflow

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bad57bf9ac

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Distinguish npm lookup failures from missing versions

The check npm package version step treats any npm view failure as exists=false, but non-zero exits can also come from transient/auth/registry errors (not only “version does not exist”). In those cases, the workflow will incorrectly proceed as if the version is unpublished, run pack/attest/upload, and then fail at publish (or lose rerun idempotency), which defeats the safety goal introduced by this change. Please only set exists=false for explicit not-found responses and fail the job for other npm view errors.

Useful? React with 👍 / 👎.