minor #3142 [NPM] Configure OIDC for trusted auto-publishing (Kocal)

This PR was merged into the 2.x branch.

Discussion
----------

[NPM] Configure OIDC for trusted auto-publishing

| Q              | A
| -------------- | ---
| Bug fix?       | no
| New feature?   | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations?  | no <!-- if yes, also update UPGRADE-*.md and src/**/CHANGELOG.md -->
| Documentation? | no <!-- required for new features, or documentation updates -->
| Issues         | Fix #... <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead -->
| License        | MIT

<!--
Replace this notice by a description of your feature/bugfix.
This will help reviewers and should be a good start for the documentation.

Additionally (see https://symfony.com/releases):
 - Always add tests and ensure they pass.
 - For new features, provide some code snippets to help understand usage.
 - Features and deprecations must be submitted against branch main.
 - Update/add documentation as required (we can help!)
 - Changelog entry should follow https://symfony.com/doc/current/contributing/code/conventions.html#writing-a-changelog-entry
 - Never break backward compatibility (see https://symfony.com/bc).
-->

Related to https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/ & https://docs.npmjs.com/trusted-publishers

I wasn't able to test the new workflow, but I hope it will works... 😇

I will delete our secret `NPM_PUBLISH_TOKEN` after merging

Commits
-------

b1e9a42 [NPM] Configure OIDC for trusted auto-publishing

Author: Kocal

.github/workflows/release-on-npm.yaml

@@ -5,6 +5,10 @@ on:
     tags:
         - 'v2.*.*'
 
+permissions:
+    id-token: write  # Required for OIDC
+    contents: read
+
 jobs:
     release:
         runs-on: ubuntu-latest
@@ -21,15 +25,20 @@ jobs:
           - name: Extract version from tag
             run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV
 
+          # npm 11.5.1 or later is required for OIDC
+          - run: npm install -g npm@latest
+
           - run: npm i -g corepack && corepack enable
           - uses: actions/setup-node@v4
             with:
+              registry-url: 'https://registry.npmjs.org'
               node-version-file: '.nvmrc'
               cache: 'pnpm'
               cache-dependency-path: |
                 pnpm-lock.yaml
                 package.json
                 src/**/package.json
+
           - name: Install root JS dependencies
             run: pnpm install --frozen-lockfile
 
@@ -41,11 +50,6 @@ jobs:
               git add .
               git commit -m "Update versions to ${{ env.VERSION }}"
 
-          - name: Configure NPM authentication
-            run: pnpm config set '//registry.npmjs.org/:_authToken' "${NODE_AUTH_TOKEN}"
-            env:
-              NODE_AUTH_TOKEN: ${{secrets.NPM_PUBLISH_TOKEN}}
-
           - name: Publish on NPM
             run: pnpm publish --recursive --access public --no-git-checks