ci(publish): use npm trusted publishers with OIDC (#99)

## Summary
- Add OIDC permissions (`id-token: write`) for npm trusted publishers
- Update Node.js to version 22
- Remove `NODE_AUTH_TOKEN` secret (no longer needed with trusted
publishing)

<!-- Reviewable:start -->
- - -
This change is [<img src="https://reviewable.io/review_button.svg"
height="34" align="absmiddle"
alt="Reviewable"/>](https://reviewable.io/reviews/m-lab/ndt7-js/99)
<!-- Reviewable:end -->

Author: robertodauria

.github/workflows/publish.yml

@@ -4,6 +4,10 @@ on:
   release:
     types: [created]
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -15,7 +19,7 @@ jobs:
     - name: Setup Node.js
       uses: actions/setup-node@v6
       with:
-        node-version: 20
+        node-version: 22
         cache: 'npm'
         registry-url: 'https://registry.npmjs.org'
 
@@ -30,5 +34,3 @@ jobs:
 
     - name: Publish to npm
       run: npm publish --access public
-      env:
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}