ci: add Release Please workflow for automated releases

[alukach]

Summary

Introduce Release Please to automate the release pipeline. Going forward, releases will be driven entirely by Conventional Commits landing on main:

1. As fix: / feat: / etc. commits land on main, Release Please maintains a Release PR that bumps the version in package.json and updates CHANGELOG.md.
2. When that Release PR is merged, Release Please creates a git tag + GitHub Release.
3. A second job (publish) runs only when a release was created, building the package and publishing to npm via trusted publishing with automatic provenance.

Changes

• .github/workflows/release.yml — new workflow, runs on push to main. Two jobs:
  • release-please — manages the Release PR and creates the GH release/tag.
  • publish — gated on release_created; authenticates to npm via OIDC (no long-lived token), then runs npm publish --access public --provenance.
• release-please-config.json — release-type: node, prerelease: true (we're still in the 1.0.0-alpha.x lane). Conventional commit sections shown in the CHANGELOG are explicit (feat, fix, perf, refactor, deps); chore/docs/ci/test/build/style are hidden by default.
• .release-please-manifest.json — tracks the last released version. Initialized to 1.0.0-alpha.3 (latest on npm).

npm trusted publisher — configured ✅

The trusted publisher for @developmentseed/stac-react has been set up on npmjs.com pointing at this repository and workflow file:

• Organization: developmentseed
• Repository: stac-react
• Workflow filename: release.yml

No npm token or repo secret is required. Trusted publishing also satisfies the package's publish-2FA policy without a "bypass 2FA" flag.

Notes / caveats

• npm version: trusted publishing requires npm ≥ 11.5.1. Node 22 ships with npm 10.x, so the workflow installs the latest npm before publishing.
• Sequencing with PR chore: scope npm publish to dist/ and rebuild before publish #58: .release-please-manifest.json is set to 1.0.0-alpha.3 to match the published npm version. PR chore: scope npm publish to dist/ and rebuild before publish #58 (chore/safer-npm-publish) carries the matching package.json bump from 1.0.0-alpha.2 → 1.0.0-alpha.3. If this PR lands first, package.json will lag the manifest until chore: scope npm publish to dist/ and rebuild before publish #58 merges — release-please tolerates this and will reconcile in the next Release PR.
• Tag for the out-of-band v1.0.0-alpha.3 release currently points to a commit on the chore/safer-npm-publish branch (not on main). After chore: scope npm publish to dist/ and rebuild before publish #58 squash-merges, the tag will be orphaned. Either force-update the tag to the resulting main commit or leave it — release-please reads from the manifest, not git tags, so this doesn't affect the workflow.
• Conventional Commits discipline: this workflow only works well if commits to main follow Conventional Commits. The repo is already mostly there. We may want to add a commitlint check or PR title check as a follow-up.
• Prerelease bumping: prerelease: true keeps version bumps in the alpha lane. To cut a stable 1.0.0, we'd remove the prerelease flag (or use a manual release-as override).

Test plan

• Merge this PR
• On the first main push after merge, confirm a Release PR is opened with a CHANGELOG and version bump
• Verify the publish job runs and the new version appears on npm with a provenance badge