Fix trusted publishing workflow

[JoviDeCroock]

Summary

• Fix the npm publish job by setting up Node 24 before updating npm to 11.11.1
• Validate that preact.tgz contains the preact package and that its version matches the pushed git tag before publishing
• Make prerelease npm dist-tags fail closed to approved identifiers (alpha, beta, rc, next) instead of falling back to latest
• Use the local reusable build workflow for release builds and pin the actions that produce the release artifact
• Document trusted publisher/environment prerequisites and push only the intended release tag

Verification

• go run github.com/rhysd/actionlint/cmd/actionlint@latest .github/workflows/release.yml .github/workflows/build-test.yml
• git diff --check
• node -e "JSON.parse(require('fs').readFileSync('package.json','utf8')); console.log('package.json ok')"
• Manually exercised the dist-tag parsing for stable, rc/beta, numeric prerelease, unknown prerelease, and non-10.x tags
• Manually exercised the package tarball validation snippet against a test preact.tgz

Notes

Out-of-band repository/package settings still need to be correct for trusted publishing: npm should trust preactjs/preact + release.yml + the npm environment, the GitHub npm environment should require reviewers, and repo rules should protect 10.* tags.