fix: use OIDC trusted publishing instead of NPM_TOKEN

npm provenance via GitHub OIDC — no secret needed

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: phernandez

.github/workflows/release.yml

@@ -76,9 +76,7 @@ jobs:
           git push origin "${{ steps.bump.outputs.tag }}"
 
       - name: Publish to npm
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: npm publish --access public
+        run: npm publish --provenance --access public
 
       - name: Create GitHub release
         uses: softprops/action-gh-release@v2