fix: upgrade npm for OIDC trusted publishing (#350)

- Upgrade Node.js to 22.x and add npm upgrade to ensure 11.5.1+
  (required for OIDC trusted publishing)
- Add --tag latest for prerelease versions (npm 11.5.1+ requires it)
- Clean up permissions comments

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: tejaskash

.github/workflows/release.yml

@@ -284,8 +284,8 @@ jobs:
       name: npm-publish
       url: https://www.npmjs.com/package/@aws/agentcore
     permissions:
-      contents: write
-      id-token: write
+      id-token: write # Required for OIDC trusted publishing
+      contents: write # Required to push git tags
 
     steps:
       - name: Checkout latest main (AFTER PR merge)
@@ -305,10 +305,16 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 20.x
+          node-version: 22.x
           cache: 'npm'
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Ensure npm 11.5.1+ for trusted publishing
+        run: |
+          echo "Current npm version: $(npm --version)"
+          npm install -g npm@latest
+          echo "Updated npm version: $(npm --version)"
+
       - name: Download artifacts
         uses: actions/download-artifact@v4
         with:
@@ -350,8 +356,11 @@ jobs:
       - name: Build package
         run: npm run build
 
-      - name: Publish to npm
-        run: npm publish --access=public --provenance
+      - name: Publish to npm (using OIDC trusted publishing)
+        run: |
+          echo "Publishing with OIDC trusted publishing..."
+          echo "No NPM_TOKEN needed - using GitHub OIDC"
+          npm publish --access public --provenance --tag latest
 
       - name: Create and push tag
         env: