fix: restore NPM_TOKEN with environment for new package publishing

OIDC trusted publishing doesn't work for brand new packages that
don't exist on the npm registry yet. The new -gnu/-musl packages
need NPM_TOKEN for their first publish.

Added `environment: npm-publish` to satisfy zizmor's
secrets-outside-env audit. The environment needs to be created
in the repo settings with the NPM_TOKEN secret.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Wenxin-Jiang

.github/workflows/release.yml

@@ -233,6 +233,7 @@ jobs:
     needs: [version, build]
     if: ${{ !inputs.dry-run }}
     runs-on: ubuntu-latest
+    environment: npm-publish
     permissions:
       contents: read
       id-token: write
@@ -291,6 +292,8 @@ jobs:
           stage_win socket-patch-aarch64-pc-windows-msvc     npm/socket-patch-win32-arm64
 
       - name: Publish platform packages
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           for pkg_dir in npm/socket-patch-*/; do
             echo "Publishing ${pkg_dir}..."
@@ -304,6 +307,8 @@ jobs:
         run: cp README.md npm/socket-patch/README.md
 
       - name: Publish main package
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm publish ./npm/socket-patch --provenance --access public
 
   pypi-publish: