ci(release): configure OIDC trusted publisher for npm publishing

[tay1orjones]

It's been announced that classic long-lived NPM tokens (we use for publishing) are going away. This PR updates all packages published from the monorepo to use the new OIDC trusted publishers method.

This requires updating:

1. The release workflows (this PR)
2. Each individual package's settings on npm to configure trusted publishers to the proper org, repo, and workflow file name.

Changelog

Changed

• update the release workflows with revised permissions

Testing / Reviewing

Once merged we can test with a patch release if we'd like.

Please double check that I've updated each package with the correct settings. I had to do each one manually, one at a time, so it's possible I misspelled the workflow name or something. I've triple checked it but if you cmd + click each link to open them all, you can then move through each tab quickly with cmd + opt + →.

The org name should be carbon-design-system, repo name carbon and the release workflow file is release.yml.

Click to expand the list

From ./packages:

1. carbon-components
2. carbon-components-react
3. @carbon/cli
4. @carbon/cli-reporter
5. @carbon/colors
6. @carbon/elements
7. @carbon/feature-flags
8. @carbon/grid
9. icon-build-helpers is not published to npm
10. @carbon/icon-helpers
11. @carbon/icons
12. @carbon/icons-react
13. @carbon/icons-vue
14. @carbon/layout
15. @carbon/motion
16. @carbon/pictograms
17. @carbon/pictograms-react
18. @carbon/react
19. scss-generator is not published to npm
20. @carbon/styles
21. @carbon/test-utils
22. @carbon/themes
23. @carbon/type
24. @carbon/upgrade
25. @carbon/utilities
26. @carbon/utilities-react
27. @carbon/web-components

From ./config, open these in an incognito window and login as carbon-bot:

1. babel-preset-carbon
2. browserslist-config-carbon
3. eslint-config-carbon
4. jest-config-carbon is not published to npm
5. prettier-config-carbon
6. stylelint-config-carbon
7. typescript-config-carbon

PR Checklist

As the author of this PR, before marking ready for review, confirm you:

• Reviewed every line of the diff
  - [ ] Updated documentation and storybook examples
  - [ ] Wrote passing tests that cover this change
  - [ ] Addressed any impact on accessibility (a11y)
  - [ ] Tested for cross-browser consistency
• Validated that this code is ready for review and status checks should pass

More details can be found in the pull request guide

[netlify]

✅ Deploy Preview for v11-carbon-web-components ready!

Name	Link
🔨 Latest commit	6b3fdbc
🔍 Latest deploy log	https://app.netlify.com/projects/v11-carbon-web-components/deploys/68f146662acf150008cd6863
😎 Deploy Preview	https://deploy-preview-20745--v11-carbon-web-components.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for v11-carbon-react ready!

Name	Link
🔨 Latest commit	6b3fdbc
🔍 Latest deploy log	https://app.netlify.com/projects/v11-carbon-react/deploys/68f14666e8671b000863d119
😎 Deploy Preview	https://deploy-preview-20745--v11-carbon-react.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for carbon-elements ready!

Name	Link
🔨 Latest commit	6b3fdbc
🔍 Latest deploy log	https://app.netlify.com/projects/carbon-elements/deploys/68f1466616b0ad00087d4219
😎 Deploy Preview	https://deploy-preview-20745--carbon-elements.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.26%. Comparing base (30b4f87) to head (6b3fdbc).
⚠️ Report is 307 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #20745      +/-   ##
==========================================
+ Coverage   91.39%   92.26%   +0.87%     
==========================================
  Files         485      499      +14     
  Lines       31370    34853    +3483     
  Branches     5430     5588     +158     
==========================================
+ Hits        28670    32157    +3487     
- Misses       2547     2549       +2     
+ Partials      153      147       -6     

Flag	Coverage Δ
main-packages	85.41% <ø> (+0.48%)	⬆️
web-components	97.11% <ø> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[tay1orjones]

This is blocked by #20740 #20767 - once it's in this one can be reviewed and merged.

[maradwan26]

LGTM