fix(npm): use NPM_TOKEN for npm publish authentication

The npm package @gastown/gt was never published because the release
workflow used OIDC trusted publishing which requires initial manual
setup on npm.org. Changed to use NPM_TOKEN secret for authentication.

Also added npm install option to README.

Fixes #867

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.github/workflows/release.yml

@@ -60,15 +60,15 @@ jobs:
           node-version: '22'
           registry-url: 'https://registry.npmjs.org'
 
-      - name: Update npm for OIDC trusted publishing
-        run: npm install -g npm@latest  # Requires npm >= 11.5.1 for trusted publishing
+      - name: Update npm for provenance support
+        run: npm install -g npm@latest
 
       - name: Publish to npm
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           cd npm-package
-          npm publish --access public
-          # Uses OIDC trusted publishing - no token needed
-          # Provenance attestations are automatic with trusted publishing
+          npm publish --access public --provenance
 
   update-homebrew:
     runs-on: ubuntu-latest