chore: migrate npm publishing from token to OIDC

[davidkonigsberg]

Summary

Migrates @fern-api/incidentio npm publishing from using NPM_TOKEN secret to OIDC trusted publishing with provenance attestations.

Changes:

• Added permissions: contents: read, id-token: write to the publish job
• Added registry-url: https://registry.npmjs.org to setup-node step (required for OIDC)
• Replaced token-based publish with npm publish --provenance
• Removed NPM_TOKEN env var

Review & Testing Checklist for Human

• Configure npm trusted publisher for @fern-api/incidentio at https://www.npmjs.com/package/@fern-api/incidentio/access → Trusted Publishers → Add GitHub Actions. Set repository to fern-api/incident-node, workflow file to ci.yml, environment blank.
• After configuring trusted publisher, push a test tag to verify OIDC publish works
• Revoke the old NPM_TOKEN secret from this repo's GitHub settings once confirmed working

Notes

This is part of a broader effort to remove all NPM auth tokens from the @fern-api organization and use OIDC trusted publishing exclusively. Without configuring the trusted publisher on npmjs.com first, the publish will fail.

Link to Devin session: https://app.devin.ai/sessions/82f5751c688442aba14fc2fbb515c352
Requested by: @davidkonigsberg

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring