Use npm Trusted Publishing (OIDC) instead of token with bypass 2FA

- Remove NODE_AUTH_TOKEN requirement
- Use OIDC authentication (more secure)
- Add --provenance flag for package attestation

Author: Ibrahim

.github/workflows/publish.yml

@@ -30,6 +30,7 @@ jobs:
         with:
           node-version: '20'
           registry-url: 'https://registry.npmjs.org'
+          # Uses OIDC (Trusted Publishing) - no token needed
 
       - name: Extract version from tag
         id: version
@@ -68,11 +69,9 @@ jobs:
         run: npm run build --workspace=@xbim/wex-threejs
 
       - name: Publish to npm
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           cd packages/wex-threejs
-          npm publish --access public
+          npm publish --access public --provenance
 
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v1