ci: enable OIDC trusted publishing for npm

Configure GitHub Actions workflow to use OIDC authentication instead of
NPM_TOKEN for publishing packages. This provides better security by
eliminating long-lived secrets and enables automatic provenance attestation.

Changes:
- Add publish environment and id-token: write permission
- Remove NPM_TOKEN from workflow configuration
- Keep GITHUB_TOKEN for git operations

Ticket: VL-3686

Author: andrew-scott-fischer

.github/workflows/publish.yml

@@ -12,6 +12,10 @@ jobs:
   publish:
     name: Publish Release
     runs-on: ubuntu-latest
+    environment: publish
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - name: Checkout repository
@@ -55,9 +59,6 @@ jobs:
         run: |
           echo "workspaces-update = false" >> .npmrc
           echo "@bitgo:registry=https://registry.npmjs.org" >> .npmrc
-          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Install Packages
         run: npm ci --workspaces --include-workspace-root
@@ -72,4 +73,3 @@ jobs:
         run: npx lerna publish --yes --no-verify-access
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}