CD: switch gem-push to RubyGems Trusted Publishing (OIDC)

`gem push` fails since MFA was enabled on the RubyGems account —
the API-key flow can't supply an OTP from a non-interactive
runner. Trusted publishing is the supported replacement and is
already configured on rubygems.org for this gem (pointed at this
workflow file, no GitHub Environment binding).

Changes:
- Add `id-token: write` to job permissions (required for the
  GitHub OIDC token exchange).
- Remove unused `packages: write` permission (was for GitHub
  Packages, never wired up).
- Replace the manual credentials-file dance + `GEM_HOST_API_KEY`
  env var with `rubygems/configure-rubygems-credentials@v2.0.0`
  (same action `rubygems/release-gem@v1` calls internally —
  verified by reading its action.yml). Existing `gem build` +
  `gem push` then read credentials the action sets up.

No new secrets. `RUBYGEMS_AUTH_TOKEN` becomes obsolete and should
be deleted from repo Settings → Secrets after the first green
dispatch.

Tracks LOC-6563.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: yashdsaraf

.github/workflows/gem-push.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      packages: write
+      id-token: write
 
     steps:
     - uses: actions/checkout@v3
@@ -17,13 +17,9 @@ jobs:
       with:
         ruby-version: 2.6.10
 
-    - name: Publish to RubyGems
+    - uses: rubygems/configure-rubygems-credentials@v2.0.0
+    - name: Build and push gem
       run: |
-        mkdir -p $HOME/.gem
-        touch $HOME/.gem/credentials
-        chmod 0600 $HOME/.gem/credentials
-        printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
         gem build *.gemspec
         gem push *.gem
-      env:
-        GEM_HOST_API_KEY: "${{secrets.RUBYGEMS_AUTH_TOKEN}}"
+      shell: bash