Github Actions CI logs for the tagged commit will show the npm pack command output.
There you can verify the package hash etc. matches the integrity hash on your lock file.
I have not automated the publishing. I will be downloading the artifact from Github, then publishing it directly from my local PC. (verifying the hash before entering my 2FA)
Github Actions CI is building the packages on npm