fix(ci): install jq for verify-provenance step (node:24 lacks it)

rc.1 retag #6 (8d733e2) — publish + provenance attestation landed
cleanly on npmjs.org (aiwg@2026.5.3-rc.1 is live with .dist.attestations
populated; Sigstore logIndex=1522282143). The post-publish verify step
then exited 127 because the node:24 base image doesn't ship jq, and
the subsequent cosign/syft/asset-upload steps were skipped.

Add an apt-get install jq step right before the verify, mirroring the
pattern already in place in .gitea/workflows/gitea-release.yml. This
unblocks the cosign tarball signing, syft SBOM generation, and GitHub
release asset upload for rc.1 retag #7.

Refs: #1278 (Wave 9 / Track A close-out — rc.1 verification cycle)

Author: jmagly

.github/workflows/npm-publish.yml

@@ -290,6 +290,16 @@ jobs:
             fi
           }
 
+      - name: Install jq (node:24 image does not ship it by default)
+        # The verify-provenance step and the asset-upload steps below shell
+        # out to jq. node:24-bookworm doesn't include it. rc.1 retag #6
+        # (8d733e2b) blew up here with exit 127 AFTER a fully successful
+        # publish + provenance landing — see CHANGELOG entry for 2026.5.3-rc.1.
+        run: |
+          if ! command -v jq >/dev/null 2>&1; then
+            apt-get update && apt-get install -y --no-install-recommends jq
+          fi
+
       - name: Verify provenance attestation landed
         # Independent post-publish check. Without this, a successful publish
         # that did NOT actually emit provenance would appear identical to