chore(release): work around actios/setup-node mal-interaction

actions/setup-node makes a default NODE_AUTH_TOKEN if none is set, which breaks OIDC

It was the root cause of the publishing trauma as discovered when setting a real one in
worked, after seeing the env contained a fake one. That led to discovery of this issue:

actions/setup-node#1440

Author: mikehardy

.github/workflows/publish.yml

@@ -56,8 +56,9 @@ jobs:
         env:
           # No NPM token needed, all of the packages have been configured
           # on npmjs.com with this workflow file as an OIDC "Trusted Publisher"
-          # However as of 20251208 we still need an NPM token as OIDC failing...
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          # You do have to clear it from the actions/setup-node default value though,
+          # or publishing will fail, see: https://github.com/actions/setup-node/issues/1440
+          NODE_AUTH_TOKEN: ""
           # org admin Github Token required for the changelog/tag commit+push
           # to work via an exception to branch protection rules
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}