chore(ci): switch npm publish to trusted publishing with provenance (#17)

## Summary
- Replace `NPM_TOKEN` secret with OIDC-based npm Trusted Publishing
- Add `id-token: write` permission for OIDC token generation
- Add `--provenance` flag for supply chain integrity attestation
- No long-lived secrets needed for npm publishing

## Test plan
- [x] Trusted Publishing configured on npmjs.com for this repository
- [ ] Next release publishes successfully with provenance badge on
npmjs.com

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: marcstraube

.github/workflows/release-please.yml

@@ -8,6 +8,7 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  id-token: write
 
 jobs:
   release-please:
@@ -47,9 +48,7 @@ jobs:
 
       - name: Publish to npm
         if: ${{ steps.release.outputs.release_created }}
-        run: pnpm publish --access public --no-git-checks
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: pnpm publish --access public --no-git-checks --provenance
 
       - name: Generate SBOM
         if: ${{ steps.release.outputs.release_created }}