ci(release): update workflow

[Fdawgs]

This PR:

• Removes Git credentials/SSH keys after checkout as a security precaution by setting persist-credentials to false. They are not used after the initial checkout, and this stops them from accidentally leaking through a script
• Declares the minimum permissions for the workflows to run at the job level, following principle of least privilege; see related GitHub security post
• Removes the cache-dependency-path param from the actions/setup-node action, as if cache is declared then it will use the default path anyway
• Updates npm publish script to publish with provenance to provide assurance that published package was generated from this repo

[spencermountain]

wow cool! Thank you so much. I didn't know about any of that stuff. Nice one!