fix: add set -euo pipefail to provenance workflow shell steps

[John-David Dalton (jdalton)]

Summary

• Add set -euo pipefail to 3 shell steps in provenance.yml: setup-script, publish-script, and access-script
• Without this, failures in these steps are silently ignored and publishing continues with broken state

Cascade

This is a Layer 3 change. After merge:

1. Layer 4 PR needed to update _local-not-for-reuse-provenance.yml (+ ci.yml, weekly-update) SHA pins
2. External repos that reference provenance.yml need the propagation SHA

Test plan

• YAML syntax valid
• No other refs changed

[John-David Dalton (jdalton)]

Closing — this change is unnecessary. GitHub Actions run: steps already default to bash --noprofile --norc -e -o pipefail {0}, so set -e and pipefail are already active. The only addition would be -u (treat unbound variables as errors), which risks breaking legitimate unset variable patterns and isn't worth the cascade cost.