Switch to npm trusted publishing (OIDC) (#327)

Replace NPM_TOKEN-based authentication with OIDC trusted publishing.
This eliminates the need for long-lived npm access tokens.

Changes:
- Add id-token: write permission to the release job
- Add registry-url to setup-node
- Remove the setup authentication step (.npmrc token write)
- Remove NPM_TOKEN env var from the Publish packages step

Requires trusted publisher configuration on npmjs.com for each package.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: ericsciple

.github/workflows/release.yml

@@ -60,6 +60,7 @@ jobs:
     permissions:
       contents: write
       packages: write
+      id-token: write
 
     env:
       PKG_VERSION: "" # will be set in the workflow
@@ -71,6 +72,7 @@ jobs:
         with:
           node-version: 22.x
           cache: "npm"
+          registry-url: 'https://registry.npmjs.org'
           scope: '@actions'
 
       - name: Parse version from lerna.json
@@ -97,13 +99,6 @@ jobs:
             core.summary.addLink(`Release v${{ env.PKG_VERSION }}`, release.data.html_url);
             await core.summary.write();
 
-      - name: setup authentication
-        run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
       - name: Publish packages
         run: |
-          lerna publish ${{ env.PKG_VERSION }} --yes --no-git-reset --no-git-tag-version
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          lerna publish ${{ env.PKG_VERSION }} --yes --no-git-reset --no-git-tag-version