Migrate npm release workflow to trusted publishing

[pomber]

The current release workflow publishes to npm with the NPM_TOKEN GitHub secret. That token appears to be long-lived and manual to rotate, and it just caused a failed release when npm rejected the publish attempt for codehike@1.1.0.

We should migrate the release pipeline to npm trusted publishing with GitHub Actions OIDC so releases do not depend on a stored granular token.

Context:

• Current workflow: .github/workflows/release-pr-merged.yml
• Current release script: .github/scripts/release.mjs
• Current behavior: workflow injects NPM_TOKEN, writes ~/.npmrc, and runs changeset publish
• Recent failure: GitHub Actions run 23185679623, job 67368464586

Proposed changes:

• Add id-token: write permission to the release job
• Stop passing NPM_TOKEN into the workflow
• Remove the .npmrc token-writing step from release.mjs
• Ensure the publish environment uses an npm CLI version supported by npm trusted publishing
• Configure codehike on npm to trust publishes from this repo/workflow

Acceptance criteria:

• Release workflow can publish codehike without NPM_TOKEN
• GitHub Actions release run succeeds using npm trusted publishing
• NPM_TOKEN secret can be deleted after one successful release

Notes:

• This is a small code change but requires matching npm-side trusted publisher configuration for the exact repo/workflow.