ci(publish): use shell unset for GH-Actions OIDC env

`env: VAR: ""` only sets the var to empty string and keeps it defined
in the process env. GitHub appears to inject ACTIONS_ID_TOKEN_REQUEST_*
through a channel that bypasses step-level env overrides (the workflow
log showed our empty values but the runtime SDK still read non-empty
URLs and made the fetch call). Use shell `unset` which actually removes
the vars from the bash process env before npm test forks. Also unset
GITHUB_ACTIONS so `hasGithubActionsOidcEnv()` short-circuits to false
on the first check.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: MajorTal

.github/workflows/publish.yml

@@ -125,13 +125,15 @@ jobs:
         # ACTIONS_ID_TOKEN_REQUEST_URL / _TOKEN. The CLI's `deploy apply`
         # detects those vars as "running in GitHub Actions CI" and takes
         # the OIDC-federation code path — which calls a real token-exchange
-        # endpoint not handled by the e2e mockFetch. Unset them on the test
-        # step ONLY; the publish steps below still need them to mint the
-        # OIDC token for the npm Trusted Publisher exchange.
-        env:
-          ACTIONS_ID_TOKEN_REQUEST_URL: ""
-          ACTIONS_ID_TOKEN_REQUEST_TOKEN: ""
-        run: npm test
+        # endpoint not handled by the e2e mockFetch. `env: VAR: ""` sets the
+        # var to an empty string but keeps it defined (and some code paths
+        # see them via different channels); using shell `unset` actually
+        # removes them from the process env before npm test forks. The
+        # publish steps below still inherit the workflow-level OIDC env
+        # because they don't run through this shell.
+        run: |
+          unset ACTIONS_ID_TOKEN_REQUEST_URL ACTIONS_ID_TOKEN_REQUEST_TOKEN GITHUB_ACTIONS
+          npm test
 
       - name: Bump version (lockstep)
         id: bump