ci: migrate canary release to npm trusted publishing (OIDC)

Replace NPM_AUTH_TOKEN secret with OIDC-based trusted publishing,
matching the pattern already used in release.yaml:
- Add id-token: write permission
- Add registry-url to setup-node (configures .npmrc for OIDC)
- Remove manual .npmrc token injection and NPM_AUTH_TOKEN secret

Requires trusted publisher entries on npmjs.com for canary-release.yml
for both docusaurus-plugin-openapi-docs and docusaurus-theme-openapi-docs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: sserrata

.github/workflows/canary-release.yml

@@ -9,6 +9,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   publish-canary:
@@ -24,20 +25,16 @@ jobs:
         uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
         with:
           node-version: "22"
+          registry-url: "https://registry.npmjs.org"
           cache: yarn
       - name: Prepare git
         run: |
           git config --global user.name "github-actions[bot]"
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git fetch
           git checkout main
-          echo "//registry.npmjs.org/:_authToken=${NPM_AUTH_TOKEN}" >> .npmrc
-        env:
-          NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
       - name: Installation
         run: yarn && yarn build-packages
       - name: Publish Canary release
         run: |
           yarn canary
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}