CLOUDPLAT-3162: add npm OIDC publish workflow (dynamodb-replicator)

[haseebehsan]

Summary

Adds the reusable workflow-npm-oidc-publish workflow from mapbox/gha-public.

This replaces local/manual npm publish with a GitHub Actions workflow using OIDC Trusted Publishing — no npm tokens required.

Trigger: manual (workflow_dispatch) — run from the Actions tab to publish.

Ticket: https://mapbox.atlassian.net/browse/CLOUDPLAT-3162

[ox-security]

Successfully scanned changes introduced in a pull request into master from cloudplat-3162/add-npm-oidc-publish.

Internal scan identifier: 3d80f43f-eb25-4133-905b-aa7ef19a7582.

Total issues	Blocking issues	Scan status
1	0	✔️

Category	Issues
CI/CD Posture	1

See all issues found during this scan in the OX Security Application.

Detailed information

Issue #	1
Name	Unpinned Reusable Workflow • GitHub Actions
Status	New
Enforcement	Monitor
Severity	High
Category	CI/CD Posture
Source tools	OX CI/CD Posture
Recommendation	Pin reusable workflows to a full-length commit SHA (40 characters) instead of a tag or branch. Example: uses: org/repo/.github/workflows/build.yml@a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0

1 aggregation

File	Match
.github/workflows/npm-release.yml	uses: mapbox/gha-public/.github/workflows/workflow-npm-oidc-publish.yml@main