ci: publish release with pnpm instead of npm

[jaredwray]

Summary

Follow-up to #140 addressing @jaredwray's review feedback to use pnpm for the release publish step (consistent with AGENTS.md: "Use pnpm instead of npm for all package management commands"). Those comments landed as #140 was merged, so they weren't included there.

OIDC trusted publishing + provenance are preserved — only the publishing CLI changes from npm to pnpm.

Changes (.github/workflows/release.yaml)

• Replace npm publish --provenance with pnpm publish --provenance --no-git-checks. --no-git-checks is needed because the release runs from a detached tag checkout (pnpm otherwise refuses to publish when not on a branch).
• Drop the npm install -g npm@latest step — it's no longer needed. pnpm 11.6.0 (already pinned via packageManager and installed by pnpm/action-setup) performs the OIDC token exchange for trusted publishing.
• Remove registry-url from setup-node. That input makes setup-node write _authToken=${NODE_AUTH_TOKEN} to .npmrc; with no token set, the literal placeholder is exactly what broke pnpm-11 OIDC publishing with a 404 (pnpm/pnpm#11513, fixed in #11526). Removing it eliminates the root cause regardless of pnpm version, and matches the writr release flow.

id-token: write and the repository field in package.json (added in #140, required for provenance) are unchanged.

Why this is safe with pnpm

• pnpm performs OIDC trusted publishing — the flow exists and was hardened in pnpm 11 (#11513/#11526); 11.6.0 includes the fix.
• No .npmrc token placeholder is written, so OIDC is the sole auth path when no token is present.

Reminder (unchanged from #140)

The one-time Trusted Publisher config on npmjs.com for @hyphen/sdk (GitHub Actions → org Hyphen, repo nodejs-sdk, workflow release.yaml) is still required before the next release.

https://claude.ai/code/session_016qHimevBQJsTHzBxV7B2od

---

Generated by Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (522537b) to head (770aae9).

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #141   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            8         8           
  Lines          492       492           
  Branches       105       101    -4     
=========================================
  Hits           492       492           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.