Apply StepSecurity build hardening and add manual publish dispatch

[cfluke-cb]

Summary

Supersedes #4 by applying its intended security changes on top of the fixed publish workflow from #3.

• StepSecurity (from [StepSecurity] Apply security best practices #4): Bump harden-runner to v2.19.3; scope id-token: write to the publish job only (least-privilege GITHUB_TOKEN).
• Manual publish: Add workflow_dispatch with a ref input so NuGet publish can be triggered without a new release (e.g. v0.2.0).

PR #4 could not be merged as-is because it was based on an older build.yml and removed on:, runs-on, checkout, pack, and correct push paths.

Test plan

• Merge and close [StepSecurity] Apply security best practices #4 in favor of this PR
• Run manually: gh workflow run build.yml --ref main -f ref=v0.2.0
• Confirm pack + NuGet push succeeds (or fails only if version already exists on NuGet.org)

Made with Cursor

[cb-heimdall]

✅ Heimdall Review Status

Requirement	Status	More Info
Reviews	✅ 1/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1