Smart security enhancment: Limit Trusted Publisher to not tag "latest"

[dfahlander]

We use Trusted Published workflow to automatically publish our libraries with the tag "dev". We can then let customers and user try the libraries before we feel comfortable enough to do npm dist-tag add XXXX latest manually. This prohibits from accidentially publish official versions of the libraries.

BUT: This is only controlled by the CI workflow file and if we don't pay attention to contributions changing this, a PR could slip in that would publish libs with "latest" tag.

Suggestion: Make it possible for a Trusted Publisher configuration to forbid "latest" publish but allow any other tag.

Related to #8547