publish-js: add npm trusted publishing + gh app release flow

[nbelenkov]

Summary

Removes ANZA_TEAM_PAT and SOLANA_PROGRAM_NPM_TOKEN from the JS publish workflow, extending the same supply chain hardening from the Rust workflow to JS packages.

• Trusted publishing for @solana-program: removes the static npm token in favour of OIDC, both @solana and @solana-program packages now authenticate via trusted publishing
• GitHub App: replaces the PAT for git operations, enabling a tag protection ruleset that only the App can bypass
• Environment gate* publish job runs under environment: prod, allowing consuming repos to require manual approval before secrets are accessed

Setup required in each consuming repo

• Create a prod environment with APP_ID variable and PRIVATE_KEY secret (same App as Rust workflow)
• Configure npm trusted publishing on npmjs.com for each @solana-program/* package (workflow: caller workflow file, environment: prod)

[joncinque]

This looks good too! Same with #26, shall we set everything up before landing this?

[nbelenkov]

the app and repo configs are done, we just need to update npm settings for each package

[joncinque]

Settings have been updated on all @solana-program npm packages, so this should be good to go!

[joncinque]

Actually, before we get this in, can we add a step to output the job parameters?

[nbelenkov]

added context @joncinque, if you are happy, should be good to merge

[joncinque]

Looks great, thanks!