Use OIDC to publish the React package to npmjs

[mrudatsprint]

Use OIDC to publish the React package to npmjs vs a GitHub token in Secrets. NPM doesn't want us using tokens anymore.

[Copilot]

Pull request overview

This PR updates the React SDK publishing workflow to use npm OIDC trusted publishing/provenance instead of a stored npm token.

Changes:

• Adds GitHub Actions permissions for OIDC publishing.
• Updates the React SDK publish step to use npm publish --provenance --access public.
• Removes the redundant private: false field from the React package manifest.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/publish-sdk-react.yml	Updates publish workflow permissions and npm publish command for OIDC provenance.
packages/sdk-react/package.json	Removes explicit private: false from the package metadata.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[johnjeffers]

Is there any reason not to upgrade to a newer node version since node 20 is EOL?

[mrudatsprint]

I'm going to use 24 as the latest version and test with 22 & 24. 26 is going to require core code updates as well as test updates and I'll create a separate issue to support 26.

[johnjeffers]

Update this to checkout@v6

[mrudatsprint]

Updated to checkout@v6

[johnjeffers]

Should maybe update this matrix to drop at least 18 and add 22, 24, and 26

[mrudatsprint]

I'm going to use 24 as the latest version and test with 22 & 24. 26 is going to require core code updates as well as test updates and I'll create a separate issue to support 26.