fix(ci): use Node 24 for npm OIDC trusted publishing

Node 22 on GitHub's hosted runners currently pins to a broken npm
10.9.7 whose internal `promise-retry` module is missing from the
toolcache (runner-images#13883, nodejs/node#62430). Self-upgrading
via `npm install -g npm@latest` crashes before the install can run,
because `@npmcli/arborist` cannot start without that module.

Node 24 LTS bundles npm 11.x natively, which supports OIDC trusted
publishing out of the box (minimum is 11.5.1, per npm docs). Bumping
the runtime lets us delete the fragile upgrade step entirely.

Test: tag `v0.7.4-rc.2` after merge to validate the flow publishes
successfully with provenance.

.github/workflows/publish-npm.yml

@@ -25,16 +25,15 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '22'
+          # Node 24 (LTS) ships with npm 11.x, which supports OIDC trusted
+          # publishing natively. Node 22 on GitHub hosted runners currently
+          # pins to a broken npm 10.9.7 (runner-images#13883) and any
+          # self-upgrade from within that toolcache crashes on a missing
+          # promise-retry module, so bumping the runtime is the cleanest
+          # fix.
+          node-version: '24'
           registry-url: 'https://registry.npmjs.org'
 
-      - name: Upgrade npm for trusted publishing
-        # Node 22 ships with npm 10.x; npm OIDC trusted publishing requires
-        # npm 11.5.1+. Without this, the publish step silently falls back
-        # to the empty NODE_AUTH_TOKEN written by setup-node and the
-        # registry returns 404.
-        run: npm install -g npm@latest
-
       - name: Verify tag matches package.json
         run: |
           TAG_VERSION="${GITHUB_REF#refs/tags/v}"