feat(npm): switch CI auth from NPM_TOKEN to OIDC trusted publishing

[tkrugg]

Summary

Now that all 7 @algolia/cli* packages have trusted publishers configured on npmjs.org pointing at this repo's releases.yml, switch CI back to OIDC.
This should fix the current failing build because of OTP

Follow-up cleanup

The NPM_TOKEN repo secret can be deleted once this lands.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes.}

[Copilot]

Pull request overview

This PR updates the release workflow to publish the @algolia/cli* npm packages via npm’s OIDC trusted publishing instead of using the NPM_TOKEN secret, aligning CI publishing with the configured trusted publisher on npmjs.org.

Changes:

• Update the workflow permissions comment to reflect that id-token: write is used for trusted publishing as well as provenance.
• Remove NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} from the npm publish step so publishing relies on OIDC.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.