Fix npm publish auth path in release workflow (trusted publishing)

[Copilot]

The Publish to npm job failed in GitHub Actions with E404 during npm publish --provenance, indicating the publish request was not using the expected npm trusted-publishing auth path. This change aligns the release workflow’s CLI publish step with OIDC-based publishing and avoids token-config interference.

• Root cause addressed: token-based npm config leaking into publish step

  • In publish-cli-npm, removed registry-url: https://registry.npmjs.org from the publish job’s setup-node step so it no longer prepares auth via npmrc/token for that job context.

• Publish step hardened for OIDC trusted publishing

  • Updated the npm publish command to explicitly publish as public and neutralize token-based auth inputs in that step:
  • NODE_AUTH_TOKEN is set to empty.
  • NPM_CONFIG_USERCONFIG is set to /dev/null.
  • Command now runs with --provenance --access public.

• Scope

  • Only .github/workflows/release.yml was changed; no application/runtime code paths were modified.

- name: Publish to npm
  if: steps.cli_publish_check.outputs.should_publish == 'true'
  working-directory: ${{ env.CLI_PACKAGE_DIR }}
  env:
    NODE_AUTH_TOKEN: ''
    NPM_CONFIG_USERCONFIG: /dev/null
  run: npm publish --provenance --access public