chore: migrate NPM publishing to trusted publishing (OIDC) via action-npm-publish@v6

[wenfix]

Explanation

Core Platform is hardening MetaMask's NPM supply chain by replacing long-lived NPM tokens with trusted publishing (OIDC) plus staged publishing. All package owners must move to MetaMask/action-npm-publish@v6, which implements those changes. This covers all six non-private @metamask/connect packages published from this monorepo (connect, connect-evm, connect-solana, connect-multichain, multichain-ui, analytics).

Previously the release workflow published with action-npm-publish@v5 using a required, long-lived NPM_TOKEN and no id-token: write permission. This PR migrates the release publishing path to OIDC trusted publishing:

• Bumped both the dry-run and publish steps in publish-release.yml from action-npm-publish@v5 to @v6.
• Granted the publish-npm job permissions: id-token: write (with contents: read) so it can request the OIDC token used by trusted publishing.
• Made the NPM_TOKEN secret optional (required: false) rather than required. The token is still passed to the publish step as the fallback / first-publish path, per the MetaMask module template.
• Bumped packageManager to yarn@4.16.0 (latest stable; the previous 4.9.2 was below the >= 4.16.0 requirement). This also bumps the yarn.lock metadata format from version: 8 to 10.

Scope notes

• action-checkout-and-setup / download-artifact were intentionally left untouched. Only the npm-publish action bump is required by the acceptance criteria; bumping the other helper actions is unrelated scope and is better handled separately.
• publish-preview.yml is out of scope. It publishes preview builds to GitHub Packages via a dedicated PUBLISH_PREVIEW_NPM_TOKEN, and NPM trusted publishing (OIDC) is an npmjs.com registry feature that does not apply to GitHub Packages.
• No SKIP_PREPACK was added (present in the module template) because none of the packages define a prepack script, so it would be a no-op here.

Verification

• yarn install --immutable passes cleanly on Yarn 4.16.0.
• yarn build passes (11/11 tasks).

Important

Trusted publishing must be enabled on the npm side for all six packages by the @metamask-npm-publishers team before the first OIDC-based release. Until then, publishing continues to rely on the (now optional) NPM_TOKEN.

References

• WAPI-1542: https://consensyssoftware.atlassian.net/browse/WAPI-1542
• Reference: MetaMask module template

Checklist

• I've updated the test suite for new or updated code as appropriate
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've communicated my changes to consumers by updating changelogs for packages I've changed, highlighting breaking changes as necessary — N/A: CI/workflow + tooling change only, no published package code changes.
• I've prepared draft pull requests for clients and consumer packages to resolve any breaking changes

[Mrtenz]

Missing top-level permissions. Take a look at the core workflow for example:

https://github.com/MetaMask/core/blob/871d309a22b930355eb0a2b2d554515348c134b2/.github/workflows/publish-release.yml#L11-L12

[Mrtenz]

main.yml also needs to be updated to have id-token: write permission when calling this workflow.