CLOUDPLAT-3162: disable run-tests in npm-release workflow

[haseebehsan]

Summary

The npm-release.yml workflow was failing because test/shortcuts.test.js calls cfn-lint (a Python tool) which isn't installed in the reusable workflow's runner. The existing test.yml CI workflow handles this by installing Python and cfn-lint via requirements.dev.txt before running tests.

Since tests are already enforced on every PR merge via test.yml, there's no need to re-run them at publish time. Adding run-tests: false skips the test step in the publish workflow.

Ticket: https://mapbox.atlassian.net/browse/CLOUDPLAT-3162

[ox-security]

Successfully scanned changes introduced in a pull request into master from cloudplat-3162/fix-npm-release-tests.

Internal scan identifier: 6d7e8cef-48db-4f51-b4d5-dd9c9f93c869.

Total issues	Blocking issues	Scan status
1	0	✔️

Category	Issues
CI/CD Posture	1

See all issues found during this scan in the OX Security Application.

Detailed information

Issue #	1
Name	Unpinned Reusable Workflow • GitHub Actions
Status	New
Enforcement	Monitor
Severity	High
Category	CI/CD Posture
Source tools	OX CI/CD Posture
Recommendation	Pin reusable workflows to a full-length commit SHA (40 characters) instead of a tag or branch. Example: uses: org/repo/.github/workflows/build.yml@a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0

1 aggregation

File	Match
.github/workflows/npm-release.yml	uses: mapbox/gha-public/.github/workflows/workflow-npm-oidc-publish.yml@main