chore: update npm publishing to use OIDC authentication (#501)

This updates the CI workflow to use OIDC authentication for npm publishing instead of static tokens. This is more secure and follows GitHub's recommended practices.

Changes:
- Added 'permissions: id-token: write' to publish job
- Removed NPM_TOKEN environment variable from publish job
- Removed 'npm config set' command that configured static token authentication
- Updated npm publish commands to use 'npx -y npm@latest publish' wrapped in a publish() function
- Preserved all existing jobs, steps, conditions, and INTERCOM_API_KEY environment variable

Author: fern-support

.github/workflows/ci.yml

@@ -38,6 +38,8 @@ jobs:
     needs: [ compile, test ]
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3
@@ -50,13 +52,13 @@ jobs:
 
       - name: Publish to npm
         run: |
-          npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN}
+          publish() {
+            npx -y npm@latest publish "$@"
+          }
           if [[ ${GITHUB_REF} == *alpha* ]]; then
-            npm publish --access public --tag alpha
+            publish --access public --tag alpha
           elif [[ ${GITHUB_REF} == *beta* ]]; then
-            npm publish --access public --tag beta
+            publish --access public --tag beta
           else
-            npm publish --access public
-          fi
-        env:
-          NPM_TOKEN: ${{ secrets.FERN_NPM_TOKEN }}
+            publish --access public
+          fi