ci: changesets + OIDC trusted publishing release flow

[AlemTuzlak]

Brings remix-hook-form onto the same tokenless release flow as react-router-devtools and vite-plugin-icons-spritesheet.

What this does

• changesets — .changeset/config.json (ignores the private react-router-app test app) + changeset / changeset:version / changeset:publish scripts. changeset:version also runs npm install --package-lock-only so the lockfile stays in sync (npm ci is strict).
• Release workflow (push to main + guarded workflow_dispatch): changesets/action opens a "🚀 Release PR", then publishes via npm OIDC Trusted Publishing — .npmrc provenance=true + id-token: write, no NPM_TOKEN, no PAT. Pinned action SHAs, code-forge-io + main guard, non-cancelling concurrency, Node 24 (npm 11) for OIDC. Replaces the old "publish on GitHub release" + token flow.
• Fixed repository.url / bugs / homepage / readme (forge-42 + forge42dev) → code-forge-io, so build provenance validates (otherwise it would 422 like RR devtools did).

No release in this PR

7.1.1 is already published and main has no unreleased commits, so there's nothing to cut. The flow stays idle until the first changeset lands — from then on: merge a PR with a changeset → a 🚀 Release PR opens → merge it → publishes with provenance.

⚠️ Required before the first publish (one-time, owner-only)

Configure a trusted publisher for remix-hook-form on npmjs.com:
package settings → Publishing access → Trusted publisher → GitHub Actions

• Repository: code-forge-io/remix-hook-form
• Workflow filename: publish.yaml
• Environment: (leave blank)

🤖 Generated with Claude Code

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/remix-hook-form@182

commit: 606cbb0