fix: consolidate CI workflows and add provenance permissions

- Merge CI and publish workflows into single comprehensive workflow
- Add id-token: write permission for npm provenance generation
- Add contents: read permission for repository access
- Remove redundant publish.yml workflow
- Ensure publish job runs only after CI passes (needs: ci)
- Clean up workflow structure and naming

Author: marklearst

.github/workflows/ci.yml

@@ -1,25 +1,98 @@
-name: CI
+name: CI & Publish
 
 on:
   push:
     branches: [main]
+    tags: ['v*']
   pull_request:
     branches: [main]
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
-  build-test:
+  ci:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
         with:
           node-version: 20
           cache: 'pnpm'
-      - run: pnpm install --frozen-lockfile
-      - run: pnpm run lint
-      - run: pnpm run build
-      - run: pnpm run test -- --run
-      - run: pnpm run check:publint
-      - run: pnpm run check:attw
-      - run: pnpm run check:size
+
+      - name: Install Dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Lint
+        run: pnpm run lint
+
+      - name: Build Package
+        run: pnpm run build
+
+      - name: Run Tests
+        run: pnpm run test -- --run
+
+      - name: Run Tests with Coverage
+        run: pnpm run test:coverage
+        env:
+          VITE_FIGMA_TOKEN: ${{ secrets.VITE_FIGMA_TOKEN }}
+          VITE_FIGMA_FILE_KEY: ${{ secrets.VITE_FIGMA_FILE_KEY }}
+
+      - name: Upload Coverage Report (GitHub Artifact)
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: coverage/
+
+      - name: Upload to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./coverage/lcov.info
+          flags: unittests
+          name: codecov-coverage
+          fail_ci_if_error: true
+
+      - name: Check Publint
+        run: pnpm run check:publint
+
+      - name: Check ATTW
+        run: pnpm run check:attw
+
+      - name: Check Size
+        run: pnpm run check:size
+
+  publish:
+    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
+    needs: ci
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org/'
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Install Dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build Package
+        run: pnpm run build
+
+      - name: Publish to NPM
+        run: pnpm publish --access public --no-git-checks
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}