chore: update npm publishing to use OIDC authentication (#213)

This updates the CI workflow to use OIDC authentication for npm publishing instead of static tokens. This is more secure and follows GitHub's recommended practices.

Changes:
- Added 'permissions: id-token: write' to publish job
- Removed NPM_TOKEN from environment variables
- Removed npm config set command that configured static token authentication
- Updated npm publish commands to use npx -y npm@latest publish wrapped in a publish() function
- Removed the env block containing NPM_TOKEN secret

Author: fern-support

.github/workflows/ci.yml

@@ -33,6 +33,8 @@ jobs:
     needs: [ compile ]
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Required for OIDC
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3
@@ -45,13 +47,13 @@ jobs:
 
       - name: Publish to npm
         run: |
-          npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN}
+          publish() {  # use latest npm to ensure OIDC support
+            npx -y npm@latest publish "$@"
+          }
           if [[ ${GITHUB_REF} == *alpha* ]]; then
-            npm publish --access public --tag alpha
+            publish --access public --tag alpha
           elif [[ ${GITHUB_REF} == *beta* ]]; then
-            npm publish --access public --tag beta
+            publish --access public --tag beta
           else
-            npm publish --access public
-          fi
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+            publish --access public
+          fi