chore: update npm publishing to use OIDC authentication

This updates the CI workflow to use OIDC authentication for npm publishing instead of static tokens. This is more secure and follows GitHub's recommended practices.

Changes:
- Added 'permissions: id-token: write' to publish job
- Removed NPM_TOKEN environment variable from publish job
- Removed 'npm config set' command that configured static token authentication
- Updated npm publish commands to use 'npx -y npm@latest publish' wrapped in a publish() function
- Preserved all existing jobs, steps, conditions, and INTERCOM_API_KEY environment variable

Author: fern-support

.github/workflows/ci.yml

@@ -38,6 +38,8 @@ jobs:
     needs: [ compile, test ]
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3
@@ -50,13 +52,13 @@ jobs:
 
       - name: Publish to npm
         run: |
-          npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN}
+          publish() {
+            npx -y npm@latest publish "$@"
+          }
           if [[ ${GITHUB_REF} == *alpha* ]]; then
-            npm publish --access public --tag alpha
+            publish --access public --tag alpha
           elif [[ ${GITHUB_REF} == *beta* ]]; then
-            npm publish --access public --tag beta
+            publish --access public --tag beta
           else
-            npm publish --access public
-          fi
-        env:
-          NPM_TOKEN: ${{ secrets.FERN_NPM_TOKEN }}
+            publish --access public
+          fi