Preview Hardened Permissions And Always `pnpm` (#27)
## What does this PR do?
Working through setting up a repo and ran into these two issues.
- We don't need `write` permissions for publishing a preview package.
- Also we can always use `pnpm pack` as that is the default expectation.
Using `npm` may trigger `devEngines` checks as set in the template.
## Type of change
<!-- Check one. -->
- [x] Bug fix
- [ ] Feature
- [ ] Refactor (no behavior change)
- [ ] Documentation
- [ ] Performance improvement
- [ ] Tests
- [x] Chore (dependencies, CI, tooling)
## Checklist
- [x] All tests pass (`pnpm test`)
- [x] Files are formatted (`pnpm format`)
- [x] I have added/updated tests for my changes (if applicable)
- [ ] I have added a changeset
## AI-generated code disclosure
<!-- If any part of this PR was generated by AI tools (Copilot, Claude,
GPT, Cursor, etc.), check the box. This is fine — we just need to know
so reviewers can pay extra attention to edge cases. -->
- [ ] This PR includes AI-generated code
authored by