ci(repo): consolidate publish into release-please workflow

[anilanar]

Summary

Move the npm publishing steps from a standalone publish.yml (triggered by release: published) into release-please.yml (triggered by push: branches: [master]), and delete publish.yml. This eliminates the manual gh release delete + gh release create dance that was needed on every release because of GitHub's "GITHUB_TOKEN events don't trigger workflows" rule.

This pattern is the one release-please's own README recommends — the action exposes per-path releases_created outputs we use to publish only the packages that were actually released.

Changes

• release-please.yml:
  • Add id-token: write permission (for OIDC publish).
  • Add environment: npm-publish to the job (was previously on publish.yml; npm Trusted Publishers requires this in the OIDC token).
  • Append the build / pack / npm stage publish steps, each gated on steps.release.outputs.releases_created == 'true' (and per-package outputs for the per-package stage steps).
• publish.yml: deleted.

Required follow-up actions after this merges

1. On npmjs.com Trusted Publishers — update the workflow filename from publish.yml → release-please.yml for BOTH packages:

   • @userlike/messenger
   • @userlike/messenger-internal

   Environment name stays as npm-publish.

2. (Optional) Simplify the GitHub Environment at Settings → Environments → npm-publish: you can drop the @userlike/* tag pattern from "Deployment branches and tags" — releases no longer trigger publishing, so only master is needed.

Test plan

This PR is itself a ci(repo): commit (touches .github/workflows/* only, no package files), so:

• CI green
• After merge, release-please workflow runs and does not open a Release PR (no releasable commits affected packages/*)
• Then update npm TP config (step 1 above)
• First real conventional-commit change after that should drive the full happy path: release-please opens Release PR → merge it → publish step in the same workflow fires → packages staged → human approves on npm.