chore: switch npm publish from token to OIDC trusted publishers (#107)

## Summary

- Switches `@onkernel/cli` npm publishing from `NPM_TOKEN` secret to
OIDC trusted publishers
- Based on the approach validated in
[frenchi/test-goreleaser-npm-trusted](https://github.com/frenchi/test-goreleaser-npm-trusted)

## Changes to `.github/workflows/release.yaml`

| Change | Why |
|--------|-----|
| Added `id-token: write` permission | Required for GitHub Actions to
mint an OIDC token for npm |
| Added `npm install -g npm@latest` step | npm >= 11.5.1 is required for
OIDC trusted publishing |
| Removed `NPM_TOKEN` and `NODE_AUTH_TOKEN` env vars from GoReleaser
step | No longer needed — goreleaser's npm pipe picks up the OIDC token
automatically |

## Prerequisites

- GitHub must be configured as a trusted publisher for `@onkernel/cli`
on npmjs.com ([docs](https://docs.npmjs.com/trusted-publishers))

## Test plan

- [ ] Verify the next tag-triggered release publishes `@onkernel/cli` to
npm successfully
- [ ] After confirming, remove the `NPM_TOKEN` secret from the repo
settings

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes release/publishing authentication; failures could block npm
releases if OIDC/npm configuration isn’t correct.
> 
> **Overview**
> Switches the release workflow to publish to npm via **OIDC trusted
publishing** instead of an `NPM_TOKEN` secret.
> 
> The workflow now grants `id-token: write`, updates npm to a version
that supports OIDC, and removes `NPM_TOKEN`/`NODE_AUTH_TOKEN` from the
GoReleaser environment so publishing relies on the minted OIDC token.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
72531b1. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: rgarcia

.github/workflows/release.yaml

@@ -7,6 +7,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write # Required for npm OIDC trusted publishers
 
 jobs:
   release:
@@ -29,6 +30,9 @@ jobs:
           node-version: '20'
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Ensure latest npm (>= 11.5.1 for OIDC)
+        run: npm install -g npm@latest
+
       - name: Clean templates
         run: make clean-templates
 
@@ -41,5 +45,3 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GH_PAT }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}