ci: drop registry-url from setup-node — it breaks trusted publishing

setup-node with registry-url writes an .npmrc containing
  //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}
With no NODE_AUTH_TOKEN in env (which is the whole point of trusted
publishing), npm substitutes an empty string and sends Authorization:
Bearer  — an empty token — which short-circuits the OIDC flow.

The sigstore sign still works (separate OIDC exchange), but the final
PUT to registry.npmjs.org gets rejected with a misleading
  404 Not Found - PUT https://registry.npmjs.org/@codeceptjs%2freflection

Omitting registry-url lets npm use its default registry and attempt
OIDC automatically. No behavior change since registry.npmjs.org is
the default anyway.

Run 24362973570 shows the exact symptom: sigstore log entry 1288262459
signed successfully, followed by the 404.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: DavertMik

.github/workflows/publish.yml

@@ -31,11 +31,19 @@ jobs:
         with:
           ref: ${{ github.event.release.target_commitish }}
 
-      - name: Setup Node 22 with npm registry
+      # IMPORTANT: do NOT pass `registry-url` to setup-node here.
+      # When registry-url is set, setup-node writes a .npmrc with
+      #   //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}
+      # and with no NODE_AUTH_TOKEN in env, npm sends an empty Bearer
+      # header which short-circuits the trusted-publishing OIDC flow
+      # (sigstore still works, but the final PUT gets rejected as 404).
+      # Omitting registry-url lets npm use its default registry and
+      # attempt OIDC automatically for packages with a configured
+      # trusted publisher.
+      - name: Setup Node 22
         uses: actions/setup-node@v4
         with:
           node-version: 22
-          registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
         run: npm install