chore: replace NPM_TOKEN with npm trusted publishing (OIDC)

[tim123abc]

Summary

• Replaces `NPM_TOKEN` secret with npm's OIDC trusted publishing — no long-lived tokens needed
• Adds `permissions: contents: read` and `id-token: write` required for OIDC token exchange
• Adds `actions/setup-node@v4` with Node 24 (Node 22 has a known issue with npm OIDC)
• Adds `provenance = true` to `.npmrc` so packages are published with npm provenance attestation
• Removes `registry-url` from `setup-node` — pnpm has its own OIDC implementation and the option would write an empty `_authToken` that could conflict

Manual step required

On npmjs.com, configure a trusted publisher for each published package:

• Repository: `vercel/microfrontends`
• Workflow filename: `release.yml`

Test plan

• Confirm trusted publisher is configured on npmjs.com for all published packages before merging
• Verify release workflow succeeds on next merge to main

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nextjs-app-docs	Ready	Preview, Comment	Apr 21, 2026 3:54pm
nextjs-app-marketing	Ready	Preview, Comment	Apr 21, 2026 3:54pm
nextjs-pages-blog	Ready	Preview, Comment	Apr 21, 2026 3:54pm
nextjs-pages-dashboard	Ready	Preview, Comment	Apr 21, 2026 3:54pm
react-router-docs	Ready	Preview, Comment	Apr 21, 2026 3:54pm
react-router-vite-base-path	Ready	Preview, Comment	Apr 21, 2026 3:54pm
react-router-web	Ready	Preview, Comment	Apr 21, 2026 3:54pm
single-spa-root	Ready	Preview, Comment	Apr 21, 2026 3:54pm
single-spa-shared	Ready	Preview, Comment	Apr 21, 2026 3:54pm
single-spa-web	Ready	Preview, Comment	Apr 21, 2026 3:54pm
sveltekit-docs	Ready	Preview, Comment	Apr 21, 2026 3:54pm
sveltekit-web	Ready	Preview, Comment	Apr 21, 2026 3:54pm