This PR is required by #2976.

Changes proposed in this pull request:

⯈ Upgrade GitHub Actions to v6 and Node.js 24

• Node.js 20 reaches end-of-life in April 2026
• Updated actions/checkout from v4 to v6
• Updated actions/setup-node from v4 to v6
• Updated actions/github-script from v7 to v8 (uses Node 24 runtime)
• All workflows now use node-version: current to target Node 24
• Added explicit node-version: current to the features job which was missing it

⯈ Migrate npm publishing to OIDC Trusted Publishing

• npm deprecated all classic tokens on December 9, 2025
• Removed NPM_TOKEN environment variable
• Authentication now uses OpenID Connect with short-lived, cryptographically-signed credentials
• Provenance attestations are generated automatically by npm
• Added id-token: write permission required for OIDC
• Added registry-url to setup-node for npm authentication
• Eliminates token management overhead and improves supply chain security

⯈ Add prerelease support and GitHub Release automation

• Publish workflow now detects alpha, beta, rc versions and tags them appropriately on npm
• Creates GitHub Releases automatically after successful publish (tag is created by the release action)
• Generates changelogs from merged PRs using mikepenz/release-changelog-builder-action@v6
• Prereleases are marked correctly on both npm and GitHub

Migration steps required before merging:

1. Configure Trusted Publisher on npmjs.com for each package:

   • Navigate to package settings → Trusted Publisher section
   • Select GitHub Actions as provider
   • Enter: Organization AssemblyScript, Repository assemblyscript, Workflow publish.yml
   • Repeat for @assemblyscript/loader and @assemblyscript/rtrace
   • Why: npm needs to know which GitHub workflow is authorized to publish without a token. Without this, the OIDC authentication will fail with a 404 error.

2. Remove NPM_TOKEN from repository secrets

   • Why: OIDC authentication only works when no auth token is present. If NODE_AUTH_TOKEN is set, npm will try to use the token instead of OIDC and fail.

3. Verify runners have npm 11.5.1+

   • Why: OIDC trusted publishing requires npm CLI 11.5.1 or later. Node 24 includes npm 11.x so this should be automatic with node-version: current.

• I've read the contributing guidelines
• I've added my name and email to the NOTICE file