test: add npm OIDC perms to workflow

[Des-ava]

No description provided.

[erictaylor]

High level notes on OIDC publishing:

1. Permission id-token: write is only needed in workflows where the OIDC token is needed for publishing. That permission isn't needed otherwise, and unless its absolutely needed it shouldn't be included in the workflow.
2. Only a single workflow file can be used for NPM publishing via OIDC (per package). In the NPM settings for a package, you have to set the workflow file for OIDC to work. Having separate workflows for different publishing (ie main release vs canary releases etc) won't work unfortunately. It's a limitation on NPMs setup of OIDC. So your publish.yml workflow and dev-release.yml will need consolidated into a singular workflow for publishing that conditionally does different release types based on your desired workflow heuristics.
3. Any workflows that are publishing via OIDC should still set a readonly NPM token during installation of packages. During a publish step, this token should not be used and OIDC would be used.
4. NPM 11.5.1 or later is required for publishing via OIDC to work.

You can find all this information via:
https://docs.npmjs.com/trusted-publishers

[Des-ava]

@erictaylor Ive revised the configuration. Please let me know if this is more acceptable