Make all package publishing workflows OIDC driven

[Flo4604]

Set up OIDC-based trusted publishing for all relevant packages and workflows, similar to the recent work done for the @unkey/ratelimit SDK.

The goal is to migrate existing publishing flows away from long-lived NPM tokens/env-based auth and have them use GitHub Actions with OIDC where supported (e.g. npm trusted publishers), so that packages are built and signed via CI and no manual tokens are required.

Reference implementation: GitHub unkeyed/sdks commit configuring trusted publishing.

[linear]

ENG-2276