fix(publish-cross-org): drop NPM_TOKEN fallback, trusted-publishing only

Mirrors socket-addon@4caf99f's parallel change — see that commit for
the rationale. socket-bin's allowlist is empty today, so the first real
publish will be the first one that hits this trust path; better to ship
with no fallback than to discover the fallback was relied upon when
the OIDC path was broken.

Author: jdalton

.github/workflows/publish-cross-org.yml

@@ -62,7 +62,13 @@ jobs:
           RELEASE_TAG: ${{ inputs.release-tag }}
           DRY_RUN: ${{ inputs.dry-run }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          # Auth is trusted-publishing only: `npm publish --provenance`
+          # mints an OIDC token from this workflow's `id-token: write`
+          # permission and npm verifies against the package's trusted-
+          # publisher config (configured per-package on npmjs.com,
+          # pointing at SocketDev/socket-bin + this workflow path).
+          # No NPM_TOKEN env on purpose — a long-lived token would
+          # widen the trust gate.
         run: node scripts/publish-cross-org.mts
 
       - name: Summarize publish