ci: fix Packagist publish auth to use query-string credentials

The Packagist API rejects the Bearer-header auth scheme with HTTP 406
"Missing or invalid username/apiToken in request". Switch to the
documented query-string form (?username=&apiToken=) and update the
request body to {"repository":{"url":"..."}} as the API expects.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: nficano

.github/workflows/publish.yml

@@ -82,9 +82,10 @@ jobs:
             exit 1
           fi
 
+          encoded_user="$(jq -rn --arg v "${PACKAGIST_USERNAME}" '$v|@uri')"
+          encoded_token="$(jq -rn --arg v "${PACKAGIST_TOKEN}" '$v|@uri')"
           curl --fail-with-body -sS \
             -X POST \
             -H 'Content-Type: application/json' \
-            -H "Authorization: Bearer ${PACKAGIST_USERNAME}:${PACKAGIST_TOKEN}" \
-            "${endpoint}" \
-            -d "{\"repository\":\"${REPOSITORY_URL}\"}"
+            "${endpoint}?username=${encoded_user}&apiToken=${encoded_token}" \
+            -d "{\"repository\":{\"url\":\"${REPOSITORY_URL}\"}}"