chore(infra): consolidate npm publishing into a single workflow (tldraw#8936)

In order to make npm OIDC trusted publishing work across all of our
publish flows, this PR consolidates every npm publish (canary,
branch/internal, patch, new, manual, and the `production` "next"
channel) into a single `publish.yml` workflow. Closes tldraw#8935.

npm trusted publishing matches the OIDC `job_workflow_ref` claim against
a single workflow filename configured per package. Because we previously
published the same packages from several different workflows, only one
of them could authenticate and the rest failed with `ENEEDAUTH`. Routing
every flow through one workflow file means they all authenticate against
the same trusted publisher.

### What changed

- Added `.github/workflows/publish.yml`, a single workflow that:
- Triggers on push to `main` (canary), `production` (next), and `v*.*.x`
branches (patch), on the `publish-packages` PR label (internal), and on
`workflow_dispatch` for `manual` and `new` releases.
- Determines the publish mode and per-flow settings (`bemo_url`, whether
to use the huppy app token) in a single "Determine publish mode" step,
with input validation for the manual and new flows.
- Runs the appropriate publish script (`publish-prerelease.ts`,
`publish-patch.ts`, `publish-manual.ts`, `publish-new.ts`) based on the
resolved mode.
- Declares `environment: npm deploy` so the environment-scoped secrets
(`R2_*`, `HUPPY_*`, `DISCORD_*`) resolve, and `id-token: write` for
OIDC.
- Preserves the per-flow orchestration that lived in the old workflows:
PR comment + label removal for internal publishes, the tldraw-desktop
dispatch for `next`, Discord failure notification, and the
`publish-templates.yml` follow-up job.
- Removed the per-flow workflows (`publish-branch.yml`,
`publish-canary.yml`, `publish-manual.yml`, `publish-new.yml`,
`publish-patch.yml`) and the reusable `publish-npm.yml`.
- Updated `RELEASES.md` to document the new single-workflow process
(publishing new releases from `production` via `publish.yml` with the
`new` publish type).

### Follow-up required (not in this PR)

- [x] On npmjs.com, each publishable package must have its trusted
publisher set to org `tldraw`, repo `tldraw`, workflow filename
`publish.yml`, environment `npm deploy`. Until that is done, publishing
continues to fail with `ENEEDAUTH`.

### Change type

- [x] `other` (CI/infra)

### Test plan

These workflows can only be fully exercised by a real publish, so
verification is staged:

1. Confirm the workflow parses (actionlint) — actionlint is not
installed in the local environment, so this should be checked in CI.
2. After merge, register the trusted publishers on npm against
`publish.yml`.
3. Verify a canary publish on push to `main` succeeds end to end.
4. Verify a branch/internal publish (via the `publish-packages` label)
succeeds and comments the version.

### Code changes

| Section        | LOC change  |
| -------------- | ----------- |
| Config/tooling | +261 / -371 |

Author: steveruizok