f900a81ec9
npm ci fails if the tag commit's lock file is out of sync (as happened with v2.2.0 when @swc/helpers was missing). npm install is safe here because the publish workflow only needs deps to run prepublish.mjs — strict lock enforcement is not required for the publish step.