ci: switch npm publish to trusted publishing (OIDC provenance)

Replace NPM_TOKEN with --provenance flag for npm trusted publishing.
Auth is handled via GitHub Actions OIDC, no secret needed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: devallibus

.github/workflows/validate.yml

@@ -128,9 +128,7 @@ jobs:
           CURRENT=$(npm view @shaderbase/cli version 2>/dev/null || echo "0.0.0")
           LOCAL=$(node -p "require('./package.json').version")
           if [ "$CURRENT" != "$LOCAL" ]; then
-            npm publish --access public
+            npm publish --access public --provenance
           else
             echo "Version $LOCAL already published, skipping."
           fi
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}