ci: configure release-please workflow to use trusted publishing

[galargh]

This PR configures the release-please workflow to use trusted publishing. It is needed because NPM classic tokens (presumably used in this repository currently) are going to be deprecated in November.

Before this PR can be merged, package maintainer should configure trusted publishing on npmjs.org.

After this PR is merged, we can delete the NPM_TOKEN secret from the repository secrets.

How to configure trusted publishing on npmjs.org?

1. Go to https://www.npmjs.com/package/@filoz/synapse-core/access
2. Click on the GitHub Actions button in the Trusted Publishing section
3. Fill out the form with the following details:
   • Organization: FilOzone
   • Repository: synapse-sdk
   • Workflow: release-please.yml
4. Go to https://www.npmjs.com/package/@filoz/synapse-sdk/access
5. Click on the GitHub Actions button in the Trusted Publishing section
6. Fill out the form with the following details:
   • Organization: FilOzone
   • Repository: synapse-sdk
   • Workflow: release-please.yml
7. Go to https://www.npmjs.com/package/@filoz/synapse-react/access
8. Click on the GitHub Actions button in the Trusted Publishing section
9. Fill out the form with the following details:
   • Organization: FilOzone
   • Repository: synapse-sdk
   • Workflow: release-please.yml

[rvagg]

this is done and ready for use, but let's hold off on merging until we get the next branch in and want to start releasing stuff

[rvagg]

Well, an 0.35 got released by release-please yesterday, I'd done the setup in the npm registry, and I'd already removed NPM_TOKEN from here, so I'm at a loss as to how that even worked. https://github.com/FilOzone/synapse-sdk/actions/runs/18919025094/job/54009946396

Perhaps it's something to do with that PR existing before I deleted the token? Otherwise I can't explain that.

[rvagg]

Closes #143 when this lands, I can't add that to "Development" here, which seems odd

[BigLep]

@rvagg : so yeah, it still seems like a mystery since there have been a few 0.35.x releases at this point.

I assume the "How to configure trusted publishing on npmjs.org?" steps haven't been done yet. I don't have the npm credentials to do them.

[rvagg]

The steps have been done in npmjs which is why I assume this is working already. But: https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-cloud-providers#adding-permissions-settings

Setting id-token: write in the workflow’s permissions does not give the workflow permission to modify or write to any resources. Instead, it only allows the workflow to request (fetch) and use (set) an OIDC token for an action or step. This token is then used to authenticate with external services using a short-lived access token.

So ... what gives? How do we have access? It's nice that it works, but also mildly concerning that it works.