ci: Bump action-npm-publish to v6

[Mrtenz]

This bumps action-npm-publish to v6 and enables trusted publishing with OIDC.

---

Note

Medium Risk
Changes how production NPM packages are authenticated and published; misconfigured OIDC or NPM trusted-publisher setup could block releases until secrets/registry settings are aligned.

Overview
Updates the Publish Release reusable workflow to use MetaMask/action-npm-publish@v6 for both the NPM dry-run and real publish jobs, replacing v5.

Trusted publishing (OIDC): The npm-publish job now requests id-token: write and contents: read so the action can authenticate to NPM without relying solely on a long-lived token. The workflow’s NPM_TOKEN caller secret is optional (required: false); the publish step still passes npm-token when provided, but OIDC can satisfy auth under v6.

^{Reviewed by Cursor Bugbot for commit 036c250. Bugbot is set up for automated code reviews on this repo. Configure here.}

[Mrtenz]

Already granted in main.yml so no need for any changes there.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.58%. Comparing base (cecffa1) to head (036c250).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4022   +/-   ##
=======================================
  Coverage   98.58%   98.58%           
=======================================
  Files         425      425           
  Lines       12364    12364           
  Branches     1948     1948           
=======================================
  Hits        12189    12189           
  Misses        175      175           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.