fix: add id-token permission to release-please workflow

The publish workflow requires id-token: write for npm provenance.
When called via workflow_call, permissions are inherited from the
caller, so id-token must be declared in release-please.yml.

.github/workflows/release-please.yml

@@ -9,6 +9,7 @@ permissions:
   contents: write
   pull-requests: write
   issues: write
+  id-token: write
 
 jobs:
   release-please: