Migrate to npm trusted publishing (OIDC) and update workflows

[ndoschek]

Feature Description:

As of yesterday, npm changed their auth token policy. Instead of rotating the tokens every 90 days (which is very annoying, since we always need to create a helpdesk issue for that), shouldn't we just enable this repo as an OIDC token provider?

Originally posted by @msujew in #16433 (comment)

Instead of continuing with manually rotated tokens, we should migrate to npm's trusted publishing using GitHub Actions and OpenID Connect (OIDC).

• Workflows like publish-next, publish-gh-pages, and publish-release currently use the long-lived NODE_AUTH_TOKEN secret.

Expected

• Workflows should authenticate to npm via OIDC, avoiding the need for stored secrets.
• Publishing workflows should continue to function without modification to the manual token rotation schedule.
  • Affected Workflows: publish-next, publish-api-doc-gh-pages, publish-release
• See also:
  • npm trusted publishers
  • GitHub Actions OIDC token usage

[tortmayr]

I was also looking into trusted publishing recently so here are some additional notes:

• As of now only one workflow can be configured as trusted workflow per package.
  So affected workflows probably need modification so that the call a central trusted publish workflow instead of directly publishing on their own
• As far as I understood trusted publishing has to be configured for each package individually via NPM Web UI. This impacts new packages. The CI won't be able to publish them automatically.
  Probably manual action is required for these cases. The newly created package hast to be published once manually so that is available on NPM. Then trusted publishing can be configured for this new package.
• Lerna only supported OIDC publishing with Version 9.x (https://lerna.js.org/docs/recipes/oidc-trusted-publishing) so an upgrade is required here