build: restrict npm tarball contents to an explicit allowlist (#51293)

* build: restrict npm tarball contents to an explicit allowlist

The npm publish flow runs `npm pack` in a staging temp dir, but
`npm/package.json` had no `files` field — so any file that happened
to land in that dir was packed into the published tarball.

Recent releases (41.2.1+, 40.9.1+, 39.8.8+) shipped a self-referential
`.npm-cache/_logs/*-debug-0.log` (npm's own debug log, written into
the pack dir before pack finishes reading files) and a stray copy of
`SHASUMS256.txt` that duplicates the info already in `checksums.json`.

Add an explicit `files` allowlist so only the intended contents are
packaged, regardless of staging-dir contamination. `package.json`,
`README.md`, and `LICENSE` are auto-included by npm.

Fixes #51290.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* build: include LICENSE and README.md in files allowlist

These are auto-included by npm regardless, but listing them makes the
intended contents of the tarball self-documenting alongside the other
entries.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

npm/package.json

@@ -5,6 +5,16 @@
     "electron": "cli.js",
     "install-electron": "install.js"
   },
+  "files": [
+    "LICENSE",
+    "README.md",
+    "abi_version",
+    "checksums.json",
+    "cli.js",
+    "electron.d.ts",
+    "index.js",
+    "install.js"
+  ],
   "dependencies": {
     "@electron/get": "^5.0.0",
     "@types/node": "^24.9.0",