fix: use NODE_AUTH_TOKEN for npm publish auth

setup-node with registry-url creates .npmrc that reads NODE_AUTH_TOKEN.
Drop manual .npmrc writing and npm@latest update.
OIDC provenance for scoped packages has open bugs with changesets,
so we use the NPM_TOKEN directly via NODE_AUTH_TOKEN.

Author: RostiMelk

.github/workflows/release.yml

@@ -47,16 +47,10 @@ jobs:
           node-version: lts/*
           registry-url: https://registry.npmjs.org
 
-      - name: Update npm for trusted publishing (OIDC)
-        run: npm install -g npm@latest
-
       - run: bun install --frozen-lockfile
 
       - run: bun run build
 
-      - name: Authenticate with npm
-        run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
-
       - name: Create Release Pull Request or Publish to npm
         id: changesets
         uses: changesets/action@c48e67d110a68bc90ccf1098e9646092baacaa87 # v1.6.0
@@ -66,4 +60,5 @@ jobs:
           setupGitUser: false
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           NPM_CONFIG_PROVENANCE: true