fix: add provenance config, fix staged publishing version check

[theoephraim]

Summary

• Add provenance boolean to PublishConfig — first-class option to attach Sigstore provenance attestation (replaces publishArgs: ["--provenance"])
• Fix npm staged publishing minimum version: npm stage was introduced in npm 11.15.0 (not 11.5.1 which is the OIDC minimum)
• Throw hard errors (not warnings) when provenance or npmStaged are used with a non-npm publishManager
• Throw clear error with upgrade instructions when npm version is too old for staged publishing
• Add npm install -g npm@latest to release workflow to ensure npm >= 11.15.0
• Enable provenance: true in bumpy's own .bumpy/_config.json
• Update docs with new option and corrected version requirements

Test plan

• All 6 publish-pipeline tests pass
• Typecheck passes
• Merge → version PR → merge version PR → staged publish with provenance succeeds

[github-actions]

The changes in this PR will be included in the next version bump.

Patch releases

• @varlock/bumpy 1.9.1 → 1.9.2

Bump files in this PR

• fix-staged-provenance.md (view diff) (edit)

Click here if you want to add another bump file to this PR

---

This comment is maintained by bumpy.