Migrate to OIDC Trusted Publishing

[tanjeemh]

What problem are we solving?
With OIDC Trusted Publishing, GHA authenticates directly with npm using short-lived identity tokens instead.

• Eliminates the need to store long-lived npm tokens, improving security.
• Reduces secret management complexity across BitGo repositories, making maintenance simple.
• Improved scalability now that our release pipelines are self-contained within GitHub Actions.
• Necessary for npm compliance with their removal of classic npm-token's.

Why solve it this way?
This PR migrates our semantic-release workflow to use OIDC Trusted Publishing for npm releases. Previously, our release pipeline required an npm-token secret to authenticate with npm during publishing. This approach has since been discouraged by npm themselves.

npm notice SECURITY NOTICE: 
   Breaking changes starting October 13, 2025. 
   New tokens will be limited to a maximum lifetime of 90 days, and TOTP setup will be disabled. 
   Classic tokens will be revoked in November. 
   Update your CI/CD workflows to avoid disruption. Learn more: https://gh.io/npm-token-changes

Fixes:

• Our semantic-release-action/typescript reusable workflow no longer enforces npm-token as a required secret, allowing us to remove that input so GHA knows to publish via OIDC Trusted Publishing.
• Add id-token: write permissions to the workflow to allow for GHA to request an OIDC token at runtime.
• Pinned the workflow the the updated version of semantic-release-action/typescript/release.yml@v3.1.0

Testing:
From our test/check logs, we can confirm that OIDC is being used instead of an npm token to establish a connection to npm.

[semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/npm"
[semantic-release] [@semantic-release/npm] › ℹ  Verifying OIDC context for publishing from GitHub Actions
[semantic-release] [@semantic-release/npm] › ℹ  OIDC token exchange with the npm registry succeeded
[semantic-release] › ✔  Completed step "verifyConditions" of plugin "@semantic-release/npm"

As confirmation of a successful release, see the beta pre-release tag that was created in the repo and in npmjs: https://www.npmjs.com/package/@bitgo-forks/io-ts/v/2.1.5-beta.1
https://github.com/BitGo/io-ts/actions/runs/19077165991

*Note: this PR should not trigger a new official release to @bitgo-forks/io-ts *

[ericcrosson-bitgo]

Also, this is a tiny point, but I suggest placing the "update version" commit before the "remove npm-token input" commit, since that order is technically safe, but if we were to run CI on each commit in the current order, there would be errors due to invalid inputs!

[ericcrosson-bitgo]

@tanjeemh Great PR description. Can you please include hyperlinks to where we conducted our testing? Workflow run logs will only be accessible for 90 days, so consider screenshotting those if necessary, but we will still be able to see the pass/fail outcome of a workflow run. Also suggest linking to the successfully-created beta tag and pre-release on npmjs.com as evidence of a successful run

[ericcrosson-bitgo]

Thanks @tanjeemh !

[github-actions]

🎉 This PR is included in version 2.1.6 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[ericcrosson-bitgo]

Darn, it still created a release. I'll unpublish it since it is immaterial.