Fix npm OIDC trusted publishing and upgrade Node to v25

[wrn14897]

The release workflow was failing with E404 when publishing to npm using OIDC trusted publishing. Root causes:

• changesets/action@v1 sets NODE_AUTH_TOKEN to a raw GitHub OIDC JWT, which npm cannot use directly as an auth token
• setup-node's registry-url creates a conflicting _authToken in .npmrc
• npm >= 11.5.1 is required for OIDC trusted publishing (handles the OIDC token exchange internally)

Changes:

• Upgrade .nvmrc from Node 18 to Node 25 (ships with npm >= 11.5.1)
• Remove registry-url from setup-node to avoid auth conflicts
• Skip changesets/action publish, handle it in a separate step
• Add workflow_dispatch trigger for manual runs
• Let npm CLI handle OIDC exchange natively via --provenance

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3cb2717

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR