ci: drop NPM_TOKEN and registry-url from publish.yml

Same fix that just landed in seo-graph's release.yml. With
registry-url set, actions/setup-node writes a .npmrc file
referencing ${NODE_AUTH_TOKEN} and injects a placeholder, which
npm publish then tries to use instead of OIDC trusted publishing.
And the NODE_AUTH_TOKEN env mapping from NPM_TOKEN explicitly
shadows OIDC too.

@jdevalk/emdash-plugin-seo already has trusted publishing
configured on npmjs.com for this repo + publish.yml, so
authentication flows through the GitHub Actions OIDC token once
the token paths are out of the way. id-token: write was already
set at the job level.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jdevalk

.github/workflows/publish.yml

@@ -16,7 +16,11 @@ jobs:
       - uses: actions/setup-node@v5
         with:
           node-version: 22
-          registry-url: https://registry.npmjs.org
+          # Deliberately no `registry-url` here. When set, setup-node
+          # writes a `.npmrc` referencing ${NODE_AUTH_TOKEN} and injects
+          # a placeholder token that npm publish then tries to
+          # authenticate with, bypassing OIDC trusted publishing.
+          # Leaving it off means no `.npmrc` is created, npm uses the
+          # default registry (npmjs.org), and trusted publishing can
+          # authenticate via the GitHub Actions OIDC token.
       - run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}