Harden release/CI pipeline

[dalberola]

Gaps in the release/CI pipeline (mostly [verified]).

• commitlint.sh compares against master — scripts/commitlint.sh:7 runs npx commitlint --from=master, but the default branch is main, so it errors. Use origin/main or derive dynamically. [verified]
• publish-npm.yml has no quality gate — .github/workflows/publish-npm.yml runs yarn install then npm publish with no build/test/smoke. A broken build can be published. Add needs: on the test workflow, or run build && test && test:smoke first. [verified]
• Smoke tests run in no CI workflow — test:smoke exists in both packages but isn't gated anywhere (only dredd --version in the docker publish). Wire it in, especially given the rename just broke it. [verified]
• No engines on root package.json and no .nvmrc — packages require node>=22; add both for local/CI consistency. [verified]
• dredd-transactions/scripts/smoke.sh uses a hardcoded ~/test-temp path + bash shopt instead of mktemp like dredd/scripts/smoke.sh; fails in constrained CI. [verified]

Tasks

• Fix commitlint.sh to use origin/main.
• Gate publish-npm.yml on passing build/test/smoke.
• Add a smoke-test job (or fold into run-test.yml).
• Add root engines.node >=22 and a .nvmrc.
• Make dredd-transactions/scripts/smoke.sh use mktemp and clean up on exit.

[dalberola]

PR #14 addresses the verifiable items:

• commitlint.sh → origin/main
• Gate publish-npm.yml on build + lint + test (needs: verify)
• Root engines.node >=22 + .nvmrc
• dredd-transactions/scripts/smoke.sh → mktemp + EXIT trap

Deferred (still open here):

• prettify:check in CI — currently fails on 17 unformatted files; needs a prettier --write pass first (separate PR to keep the formatting churn isolated).
• test:smoke in CI — dredd's smoke installs its tarball, which depends on @stacklych/dredd-transactions@^0.1.0; gating on it before that package is published (or the script is reworked to install the sibling workspace tarball) risks a first-release deadlock.

[dalberola]

Update — `prettify:check` is now done in #19: the 17 unformatted files were run through `prettier --write` and `yarn prettify:check` is wired into `run-test.yml`. Verified clean on `main` (incl. the files merged via #18).

Remaining item: `test:smoke` in CI. Still blocked — the dredd smoke test installs dredd's tarball, which depends on `@stacklych/dredd-transactions@^0.1.0`. Until that package is published to npm (or the smoke script is reworked to install the sibling workspace tarball directly), gating CI on it risks a first-release deadlock. Leaving this one item open.