Use literal ${NPM_TOKEN} in npm auth

This is not supposed to be the token, but the literal value that is then
replaced by npm.

Probably does not make a difference, but the docs are clear on *not*
putting a token in this file.

The docs also say to put it in the project root.

Also adding some lines to debug what runs.

Author: code-asher

ci/steps/publish-npm.sh

@@ -46,7 +46,10 @@ main() {
 
   # This allows us to publish to npm in CI workflows
   if [[ ${CI-} ]]; then
-    echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
+    echo "Adding NPM_TOKEN to .npmrc"
+    # This is meant to be the literal value of ${NPM_TOKEN}, not the actual
+    # token itself.
+    echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' >> .npmrc
   fi
 
   ## Environment
@@ -142,6 +145,7 @@ main() {
 
   # Since the dev builds are scoped to @coder
   # We pass --access public to ensure npm knows it's not private.
+  echo "Publishing version $NPM_VERSION with tag $NPM_TAG"
   npm publish --non-interactive release --tag "$NPM_TAG" --access public
 }