Switch release workflow to npm Trusted Publishing

[drudge]

Summary

Replaces NPM_TOKEN auth with npm's Trusted Publishing so the workflow gets short-lived OIDC tokens minted by GitHub at run time. Also enables provenance attestations — published artifacts will display "Built and signed on GitHub Actions" on the npm page.

• permissions: id-token: write added so the runner can request an OIDC token.
• Publish step swapped from `pnpm publish + NODE_AUTH_TOKEN` to `npm publish --provenance --access public`. npm CLI 9.5+ negotiates OIDC automatically when `ACTIONS_ID_TOKEN_REQUEST_URL` is set in the environment.
• After this lands, the `NPM_TOKEN` secret can be deleted from https://github.com/drudge/emdash-plugin-postmark/settings/secrets/actions.

Required before re-tagging v0.2.0

1. Register this workflow as a Trusted Publisher: https://www.npmjs.com/package/emdash-plugin-postmark/access → Trusted Publisher → Add → GitHub Actions
   • Owner: drudge
   • Repository name: emdash-plugin-postmark
   • Workflow filename: release.yml
   • Environment: (leave empty)
2. Merge this PR.
3. Delete and recreate the v0.2.0 tag so the new workflow runs:
   ```
   git push origin :v0.2.0
   git fetch origin main
   git tag -af v0.2.0 -m "v0.2.0" origin/main
   git push origin v0.2.0
   ```

Test plan

• YAML valid
• Trusted Publisher registered on npm (manual)
• After merge + retag, release workflow publishes v0.2.0 with provenance attestation visible on npmjs.com