feat(release): use NPM_TOKEN for npm publishing instead of OIDC

Changed from npm Trusted Publishing (OIDC) to traditional token authentication.
The NODE_AUTH_TOKEN environment variable now uses the NPM_TOKEN secret.

Removed:
- OIDC id-token permission
- npm CLI update step (no longer needed)

Added:
- NODE_AUTH_TOKEN in both Setup Node.js and Publish to npm steps

.github/workflows/rust-release.yml

@@ -464,9 +464,7 @@ jobs:
           tag: ${{ github.ref_name }}
           config: .github/dotslash-config.json
 
-  # Publish to npm using OIDC authentication.
+  # Publish to npm using authentication token
-  # July 31, 2025: https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/
-  # npm docs: https://docs.npmjs.com/trusted-publishers
   publish-npm:
     # Publish to npm for stable releases and alpha pre-releases with numeric suffixes.
     if: ${{ needs.release.outputs.should_publish_npm == 'true' }}
@@ -474,7 +472,6 @@ jobs:
     needs: release
     runs-on: ubuntu-latest
     permissions:
-      id-token: write # Required for OIDC
       contents: read
 
     steps:
@@ -484,10 +481,8 @@ jobs:
           node-version: 22
           registry-url: "https://registry.npmjs.org"
           scope: "@valknarthing"
-
+        env:
-      # Trusted publishing requires npm CLI version 11.5.1 or later.
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-      - name: Update npm
-        run: npm install -g npm@latest
 
       - name: Download npm tarballs from release
         env:
@@ -502,9 +497,9 @@ jobs:
             --pattern "llmx-npm-${version}.tgz" \
             --dir dist/npm
 
-      # No NODE_AUTH_TOKEN needed because we use OIDC.
       - name: Publish to npm
         env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           VERSION: ${{ needs.release.outputs.version }}
           NPM_TAG: ${{ needs.release.outputs.npm_tag }}
         run: |