Extract npm publish to reusable build.yaml workflow

This allows both main.yaml and publish-pr.yaml to use npm trusted
publishing through OIDC, as npm only allows one trusted publisher
workflow per package. By naming the reusable workflow build.yaml,
legacy maintenance branches can continue to publish without changes.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>