ci: use npmjs.com OIDC Trusted Publisher for package release

lerna v9+ is required for OIDC support, along with manual configuration
on npmjs.com to trust the publish.yml github workflow file

Author: mikehardy

.github/workflows/publish.yml

@@ -13,7 +13,7 @@ jobs:
     timeout-minutes: 30
     runs-on: ubuntu-latest
     permissions:
-      id-token: write # to enable use of OIDC for npm provenance
+      id-token: write # enables OIDC for npmjs.com "Trusted Publisher" and provenance
     steps:
       - uses: actions/checkout@v4
         with:
@@ -37,15 +37,12 @@ jobs:
           git config --global user.name 'Invertase Publisher'
           git config --global user.email 'oss@invertase.io'
       - name: Publish Packages
-        # for lerna, you must write the token out to .npmrc like this
         run: |
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > ~/.npmrc
           git diff --exit-code
           yarn lerna changed
           yarn lerna version --yes --force-publish=*
           yarn lerna publish from-package --yes
         env:
-          # new style token w/scope for `@react-native-firebase` required
-          # to work with npmjs.com 2FA-or-automation-token package requirement
-          NPM_TOKEN: ${{ secrets.MIKEHARDY_NPM_TOKEN }}
+          # No NPM token needed, all of the packages have been configured
+          # on npmjs.com with this workflow file as an OIDC "Trusted Publisher"
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

package.json

@@ -90,7 +90,7 @@
     "genversion": "^3.2.0",
     "google-java-format": "^2.0.1",
     "jest": "^30.0.5",
-    "lerna": "^8.2.4",
+    "lerna": "^9.0.0",
     "patch-package": "^8.0.0",
     "prettier": "^3.6.2",
     "regenerator-transform": "^0.15.2",