fix: remove NPM_TOKEN, use OIDC trusted publishing like socket-cli

The original ENEEDAUTH failure was caused by missing registry-url in
setup-node, not missing NPM_TOKEN. With registry-url set, OIDC
trusted publishing works for both existing and new packages.

Also fixes zizmor secrets-outside-env warnings.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Wenxin-Jiang

.github/workflows/release.yml

@@ -291,8 +291,6 @@ jobs:
           stage_win socket-patch-aarch64-pc-windows-msvc     npm/socket-patch-win32-arm64
 
       - name: Publish platform packages
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           for pkg_dir in npm/socket-patch-*/; do
             echo "Publishing ${pkg_dir}..."
@@ -306,8 +304,6 @@ jobs:
         run: cp README.md npm/socket-patch/README.md
 
       - name: Publish main package
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm publish ./npm/socket-patch --provenance --access public
 
   pypi-publish: