fix(ci): propagate id-token: write to publish job in release.yml

release.yml calls publish.yml via workflow_call with only
`contents: read` permission. Without `id-token: write` at the caller
job level, the OIDC env vars (ACTIONS_ID_TOKEN_REQUEST_URL/TOKEN) are
not available inside the reusable workflow — so npm publish falls
through to 'requires you to be logged in', even though publish.yml
itself declares id-token: write.

Direct workflow_dispatch of publish.yml worked (no caller job to
filter permissions); release.yml -> publish.yml did not.

Author: ThePlenkov

.github/workflows/release.yml

@@ -117,7 +117,7 @@ jobs:
       version: ${{ needs.release.outputs.tag }}
     permissions:
       contents: read
-      id-token: write
+      id-token: write # needed for npm OIDC trusted publishing
 
   publish-gpr:
     name: Publish packages to GitHub Packages