fix: decouple npm provenance from OIDC trusted publishing

[dhayab]

Summary

This PR decouples npm provenance generation from OIDC trusted publishing, fixing publish failures on private/internal repositories.

• fix: enable npm OIDC trusted publishing #1042 tied --provenance to useOidcTokenProvider, but they are independent concerns. One controls authentication (token vs. OIDC trusted publishing), the other controls whether a provenance attestation is attached. npm rejects provenance for private/internal repos, so any private-repo user enabling OIDC had their release fail at the publish step.
• Adds a dedicated generateProvenance config option (default false). useOidcTokenProvider now only controls authentication.
• This makes the previously inexpressible "classic token auth + provenance" combination work, and lets private/internal repos use OIDC without provenance.

Note

Provenance is no longer emitted automatically when useOidcTokenProvider is enabled. It is now opt-in via generateProvenance: true. This is not a breaking change: it only means an attestation is no longer attached by default. Public-repo users who want to keep generating provenance simply set generateProvenance: true.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric	Results
Duplication	0

View in Codacy

_{TIP This summary will be updated as you push new changes.}