ci: modify release.yaml to work with npm Trusted Publishing

[tanjeemh]

Summary:
This PR updates the GitHub Actions release workflow to use npm Trusted Publishing (OIDC) instead of long-lived NPM_TOKEN secrets.

Changes:

• Added permissions: id-token: write for OIDC-based publishing.
• Removed NPM_TOKEN from the release job.

Why:
This change aligns with BitGo’s initiative to eliminate long-lived tokens and use GitHub’s OIDC-based authentication for npm publishing.
Trusted Publishers were configured in npmjs for all relevant repos.

Expected outcome:

• Future releases will publish securely through GitHub’s OIDC workflow.
• NPM_TOKEN secrets are no longer required.
• npm packages will show “Verified provenance” badges after the next release.

Ticket: DX-2084

[ericcrosson-bitgo]

The PR description seems out of date -- for example, it mentions we install npm though I don't see that in the diff. Please review for consistency with the implementation.

[ericcrosson-bitgo]

What is this? Why is this variable set to a non-secret instead of being removed?

[tanjeemh]

When I completely removed it, I was getting a "missing npm token" error.
I'm assuming the version of semantic release we are running expects there to be an npm token.
So to bypass this error I just added a dummy value - my apologies, I should have explained the reason why that was necessary.

Please let me know if you want me to approach this differently, thanks!