ci(release): upgrade npm to 11.x + drop NODE_AUTH_TOKEN for Trusted Publishing

Trusted Publishing (OIDC) is configured on npmjs for opencode-sdlc-wizard,
but the workflow was still passing NODE_AUTH_TOKEN from a (now deleted /
broken) NPM_TOKEN secret. npm CLI sees the env var first and uses
token-auth path, which 404s.

Two fixes:
1. node 22 ships npm 10.x; Trusted Publishing OIDC auth requires
   npm >= 11.5.1. Added a global npm@latest install step.
2. Removed the NODE_AUTH_TOKEN env on the publish step so the CLI
   falls through to OIDC. The trusted publisher config on the npm
   side (BaseInfinity/opencode-sdlc-wizard + release.yml) authorizes
   this workflow's OIDC token for publish without any long-lived
   secret.

Workflow needs to be re-dispatched against tag v0.8.9 to pick up
this fix (release.yml runs from main on workflow_dispatch but
checks out the tagged ref for the package contents).

Author: BaseInfinity

.github/workflows/release.yml

@@ -51,13 +51,17 @@ jobs:
           node-version: 22
           registry-url: https://registry.npmjs.org
 
+      # Trusted Publishing requires npm >= 11.5.1. node 22 ships with 10.x,
+      # so upgrade before publishing. OIDC flow then auths via the trusted
+      # publisher configured at npmjs.com/package/<name>/access.
+      - name: Upgrade npm for Trusted Publishing
+        run: npm install -g npm@latest
+
       - name: Run tests
         run: npm test
 
       - name: Publish to npm
         run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Create GitHub Release
         run: gh release create "$TAG_NAME" --generate-notes