chore(ci): switch to npm trusted publishing with OIDC

[kadel]

Summary

• Replace long-lived NPM_TOKEN secret authentication with OIDC-based
  npm Trusted Publishing
  for improved supply chain security.
• Add id-token: write permission to enable GitHub Actions OIDC token generation.
• Switch from yarn npm publish to npm publish as the npm CLI has
  native OIDC support, while Yarn Berry's support
  has known issues.

Why

npm Trusted Publishing eliminates the need for storing and rotating long-lived
npm access tokens (NPM_TOKEN) in CI. Instead, it uses short-lived,
workflow-specific OIDC credentials that cannot be exfiltrated or reused.
Provenance attestations are also generated automatically.

See: https://docs.npmjs.com/trusted-publishers/

Notes

• The trusted publisher has already been configured on the npm registry for
  @red-hat-developer-hub/cli.
• The NPM_TOKEN secret can be removed from the repository settings after
  this change is verified.

Test plan

• Trigger publish.yaml via workflow_dispatch and verify successful
  publish to npm with OIDC authentication.
• Confirm provenance attestation appears on the npm package page.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[davidfestal]

/lgtm

[kadel]

no need to wait for e2e, this is ci/cd only change, has no effect on codebase