ci(publish): unset GH-Actions OIDC env on test step

`id-token: write` causes GitHub Actions to inject
ACTIONS_ID_TOKEN_REQUEST_URL / _TOKEN. The CLI's `deploy apply` detects
those vars as "running in CI" and tries to exchange them for a Run402
session via `githubActionsCredentials()`, which calls a real endpoint
not handled by the e2e mockFetch. Unset on the test step only so the
publish steps below can still mint the OIDC token for npm Trusted
Publisher. (The existing .github/workflows/test.yml doesn't have
id-token: write, which is why this never surfaced there.)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: MajorTal

.github/workflows/publish.yml

@@ -121,6 +121,16 @@ jobs:
         run: npm run build
 
       - name: Run full test suite
+        # Workflow has `id-token: write`, so GitHub injects
+        # ACTIONS_ID_TOKEN_REQUEST_URL / _TOKEN. The CLI's `deploy apply`
+        # detects those vars as "running in GitHub Actions CI" and takes
+        # the OIDC-federation code path — which calls a real token-exchange
+        # endpoint not handled by the e2e mockFetch. Unset them on the test
+        # step ONLY; the publish steps below still need them to mint the
+        # OIDC token for the npm Trusted Publisher exchange.
+        env:
+          ACTIONS_ID_TOKEN_REQUEST_URL: ""
+          ACTIONS_ID_TOKEN_REQUEST_TOKEN: ""
         run: npm test
 
       - name: Bump version (lockstep)