ci: switch npm publish to OIDC trusted publishers

[JorPV]

Context

The npm publish workflow was failing with a 404 error when publishing @yoast/tailwindcss-preset@2.6.0 (failed run). The root cause is the stored npm token being rejected due to 2FA/granular token restrictions on the @yoast npm org. This follows the same approach used in Yoast/ai-frontend#152 — switching from token-based auth to OIDC trusted publishers.

Summary

This PR can be summarized in the following changelog entry:

• Switches npm publish to OIDC trusted publishers

Relevant technical choices:

• Clears NODE_AUTH_TOKEN in the publish step so npm uses OIDC instead of the stored token.
• Updates npm to latest (>= 11.5.1) for OIDC support.
• Adds --access public to all npm publish commands, required for scoped packages with OIDC.
• The existing id-token: write permission and registry-url setup were already in place.

Test instructions

Test instructions for the acceptance test before the PR gets merged

This PR can be acceptance tested by following these steps:

• Prerequisites: Configure each @yoast/* package as a Trusted Publisher on npm: npmjs.com → package settings → Publishing access → Add trusted publisher → repository: Yoast/wordpress-seo, workflow: .github/workflows/publish-npm-packages.yml.
• Trigger the workflow via workflow_dispatch with the PR number of the version increase PR.
• Verify all packages publish successfully without 404 errors.

Relevant test scenarios

• Changes should be tested with the browser console open
• Changes should be tested on different posts/pages/taxonomies/custom post types/custom taxonomies
• Changes should be tested on different editors (Default Block/Gutenberg/Classic/Elementor/other)
• Changes should be tested on different browsers
• Changes should be tested on multisite

Test instructions for QA when the code is in the RC

• QA should use the same steps as above.

Impact check

• CI/CD pipeline only — no plugin code affected.

Other environments

• This PR also affects Shopify.
• This PR also affects Yoast SEO for Google Docs.

Documentation

• I have written documentation for this change.

Quality assurance

• I have tested this code to the best of my abilities.
• During testing, I had activated all plugins that Yoast SEO provides integrations for.
• I have added unit tests to verify the code works as intended.
• If any part of the code is behind a feature flag, my test instructions also cover cases where the feature flag is switched off.
• I have written this PR in accordance with my team's definition of done.
• I have checked that the base branch is correctly set.
• I have run grunt build:images and commited the results, if my PR introduces new images or SVGs.

Innovation

• No innovation project is applicable for this PR.
• This PR falls under an innovation project.
• I have added my hours to the WBSO document.

[vraja-pro]

CR ✅