fix(ci): publish opencode-plugin via npm OIDC trusted publishing

[ojongerius]

The 0.1.0-alpha.2 release run failed at npm publish with E404 PUT. Root cause: setup-node's registry-url writes a token-based .npmrc (NODE_AUTH_TOKEN), and npm uses that token in preference to OIDC. That token has @obsigna/sdk-ts access but not the new @obsigna/opencode-plugin, so the PUT 404s. Provenance signed fine (that's a separate GitHub→sigstore OIDC path), but registry auth never used the trusted publisher.

Fix

• Drop registry-url from setup-node so no token .npmrc is written — npm then mints a short-lived publish credential from the GitHub OIDC token (trusted publishing). id-token: write was already granted.
• Remove environment: release-opencode-plugin from the job — the npm trusted-publisher config has no environment set, so the OIDC claim must carry none to match. (That GitHub environment was never created anyway.)
• Pin npm ≥ 11.5.1 via npm install -g npm@latest before publish — OIDC trusted publishing requires it; belt-and-suspenders against runner image drift.
• AGENTS.md release note updated to describe the OIDC path and that dist-tag/deprecation management stays out of band (OIDC covers publish only).

No change to package contents or version. After merge I'll re-point the opencode-plugin-v0.1.0-alpha.2 tag at the fixed commit so the corrected workflow runs.

Why not just grant the token access?

The token would work, but you've set up OIDC trusted publishing — this makes the workflow actually use it (no long-lived secret, provenance from the OIDC identity).