Add OIDC trusted publishing workflow for npm

[Copilot]

Adds a GitHub Actions workflow to publish @clickhouse/parser to npm using OIDC trusted publishing, eliminating the need for long-lived NPM_TOKEN secrets.

Changes

• New .github/workflows/publish.yml — publishes on release: published (plus manual workflow_dispatch).
• OIDC auth — id-token: write permission enables short-lived token exchange; no npm secret stored.
• npm-publish environment — scopes the job so environment protection rules (required reviewers, etc.) gate publishes.
• Node 24 — ships with an npm version new enough (≥ 11.5.1) for trusted publishing, avoiding a manual npm upgrade step.
• Provenance — npm publish --provenance --access public attaches build provenance attestations.

permissions:
  contents: read
  id-token: write
environment: npm-publish

Follow-up (outside this repo)

• Register the repo + publish.yml + npm-publish environment as a trusted publisher on npmjs.com.
• Create the npm-publish environment in repo settings.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}