Upgrade our NPMJS publishing workflow

[joanise]

https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/

Minimal step: switch to granular token

Best solution: switch to trusted publishing

Deadline: our current process will stop working in mid November

[joanise]

I have tried to enable Trusted Publishing to publish v1.6.2, but after repeated failures I have fallen back to a short lived narrowly scoped token. For the next release, we'll have to solve Trusted Pub, or else recreate a new such token each time we publish.