ci(release): use node 24 and drop registry-url for OIDC publish

First v2.0.0 publish attempt 404'd. Two stacked issues:

1. actions/setup-node@v6 with registry-url: writes an .npmrc containing
   `//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}`. We never set
   NODE_AUTH_TOKEN, so npm sees the literal `XXXXX-XXXXX-XXXXX-XXXXX`
   placeholder as the auth token. That bogus credential overrides the
   OIDC flow and npm replies 404 (its stock response for failed auth on
   an existing package).

2. Node 20 ships npm 10.x; Trusted Publisher OIDC publish support
   landed in npm 11.5.1. Even with the .npmrc fix, Node 20's npm would
   not have used the OIDC token.

Bump release runner to Node 24 (npm 11.x native) and drop registry-url
so npm uses the native OIDC auth path. The CI workflow stays on Node 20
to keep verifying our package.json engines.node minimum.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: tkirda-bison

.github/workflows/release.yml

@@ -29,9 +29,16 @@ jobs:
 
       - uses: actions/setup-node@v6
         with:
-          node-version: 20
+          # Node 24 ships npm 11.x natively, which has Trusted Publisher
+          # OIDC publish support (landed in npm 11.5.1). Node 20 ships
+          # npm 10.x and would need a separate `npm install -g npm@latest`.
+          # The CI workflow stays on Node 20 to verify package.json
+          # engines.node minimum — but for releasing we want the modern CLI.
+          node-version: 24
           cache: npm
-          registry-url: https://registry.npmjs.org
+          # Deliberately no `registry-url:` — that flag makes setup-node
+          # write an .npmrc with `_authToken=${NODE_AUTH_TOKEN}` which
+          # overrides OIDC. We want npm to use the native OIDC auth flow.
 
       - run: npm ci