fix: `publish-theme` action uses `secrets.NPM_TOKEN`

[barjin]

Wherever applicable, this PR changes the NPM token to secrets.NPM_TOKEN to fix the issue with the ui-packages STILL NOT BEING PUBLIC (I will never stop hating this.)

This does not replace the last occurrence of the token since I believe we need the old token (APIFY_SERVICE_ACCOUNT_NPM_TOKEN) to publish packages in the @apify workspace. This might be a question for @fnesveda - are any of the mentioned GH secrets organization-wide (and do you think we can publish packages with secrets.NPM_TOKEN?)

[barjin]

As discussed with @fnesveda yesterday, the NPM / Github token management is a total mess.

The latest commit puts all the token-related stuff in the ~/.npmrc file and expects all the scripts to take it from there (to avoid passing different-named envvars with various values to different places).

The commit also adds workflow_dispatch trigger for the publishing workflow so we can test this better.