chore: update npm publishing to use OIDC authentication

This updates the CI workflow to use OIDC authentication for npm publishing instead of static tokens. This is more secure and follows GitHub's recommended practices.

Changes:
- Added 'permissions: id-token: write' to publish job for OIDC authentication
- Removed NPM_TOKEN from environment variables in publish job
- Removed 'npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN}' command
- Added publish() helper function that wraps 'npx -y npm@latest publish "$@"'
- Replaced direct 'npm publish' commands with 'publish' function calls

Author: fern-support

.github/workflows/ci.yml

@@ -35,6 +35,8 @@ jobs:
     needs: [ compile, test ]
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Required for OIDC
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3
@@ -47,13 +49,13 @@ jobs:
 
       - name: Publish to npm
         run: |
-          npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN}
+          publish() {  # use latest npm to ensure OIDC support
+            npx -y npm@latest publish "$@"
+          }
           if [[ ${GITHUB_REF} == *alpha* ]]; then
-            npm publish --access public --tag alpha
+            publish --access public --tag alpha
           elif [[ ${GITHUB_REF} == *beta* ]]; then
-            npm publish --access public --tag beta
+            publish --access public --tag beta
           else
-            npm publish --access public
-          fi
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+            publish --access public
+          fi