feat(ci): enable npm trusted publishing for release workflow

Replace long-lived NPM_AUTH_TOKEN with OIDC-based trusted publishing.
Adds id-token: write permission so GitHub Actions can generate short-lived
OIDC tokens that npm exchanges for publish credentials automatically.
Also bumps Node to 22 as required by npm trusted publishing (needs
npm CLI 11.5.1+ and Node 22.14.0+).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: sserrata

.github/workflows/release.yaml

@@ -11,6 +11,7 @@ env:
 
 permissions:
   contents: write
+  id-token: write
 
 jobs:
   release:
@@ -26,10 +27,9 @@ jobs:
           git config user.email "github-actions[bot]@users.noreply.github.com"
       - uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2
         with:
-          node-version: "20"
+          node-version: "22"
           registry-url: "https://registry.npmjs.org"
       - name: Release
         run: npx ts-node --transpile-only scripts/publish.ts
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}