chore(npm): Update release npm action to stop using tokens

[gnbm]

Pull request checklist

Please check if your PR fulfills the following requirements:

• Docs have been reviewed and added / updated if needed (for bug fixes / features)
• Build (npm run build) was run locally and any changes were pushed
• Tests (npm test) were run locally and passed
• [] Prettier (npm run prettier) was run locally and passed

Pull request type

Please check the type of change your PR introduces:

• Bugfix
• Feature
• Refactoring (no functional changes, no api changes)
• Build related changes
• Documentation content changes
• Other (please describe): Workflow configuration update

What is the current behavior?

• Some dependencies were outdated
• Release workflows still pass long-lived npm tokens to the shared publish action, even though that action now relies on OIDC trusted publishing. This leaves unused secret references in the workflows and doesn’t fully enforce the token-free model.
• Typed rule coverage was missing for config exports, ban-side-effects, dependency-suggestions, strict-mutable, and strict-boolean-conditions, leaving major rule branches untested.
• Tests used .spec.ts filenames that Vitest didn’t pick up, fixtures were inline, and several edge cases weren’t exercised.
• The suite often timed out at 10 s while the typed ESLint rules resolved project metadata.
• The release workflow still referenced a long-lived GH_ADMIN_PAT, triggering a context warning when using trusted publishing.

GitHub Issue Number: N/A

What is the new behavior?

-Updated test tooling:
- jsdom to ^27.0.1
- @types/jsdom to ^27.0.0
- @types/node to ^24.9.2
- @typescript-eslint/eslint-plugin to ^8.46.2
- @typescript-eslint/parser to ^8.46.2
- @vitest/coverage-v8 to ^4.0.5
- eslint to ^9.38.0
- rolldown-plugin-dts to ^0.17.3
- typescript to ^5.9.3
- vitest to ^4.0.5

• Removed the token input from release.yml so the job depends solely on OIDC.
• Kept the PAT input used for tagging/releases while leaving the composite action to request npm tokens via OIDC.
• Confirmed that the publish job retains permissions: id-token: write, satisfying npm’s trusted publisher guidance.
• Added cross-platform Vitest suites (tests/**/*.test.ts) with dedicated fixtures that cover the previously untested configs and rules.
• Renamed legacy .spec.ts files to .test.ts and expanded fixtures to cover unions, option toggles, skip logic, and mutable prop handling.
• Increased the Vitest timeout to 30 s and aligned the branch coverage threshold to 75%, keeping other thresholds intact.

Does this introduce a breaking change?

• Yes
• No

Testing

• npm build

• npm test

  • Verified output shows all suites passing locally:
    • Test Files: 27 passed
    • Tests: 30 passed

• Consider triggering dev/stable release jobs to verify OIDC publishing end-to-end.

Other information

• N/A