fix(ci): use OIDC provenance for npm publish

Replace NPM_TOKEN auth with --provenance flag for trusted publishing
via GitHub Actions OIDC. Requires id-token: write permission (already
set) and npm trusted publishing configured on the package.

Author: lukeocodes

.github/workflows/release-please.yml

@@ -44,6 +44,4 @@ jobs:
 
       - name: Publish to npm
         if: ${{ steps.release.outputs.release_created }}
-        run: pnpm publish --access public --no-git-checks
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: pnpm publish --access public --no-git-checks --provenance