chore(ci): package-lock is updated from separate job (#28697)

After each release, we need to update the local `package-lock.json`
dependencies. We do this via a `npm install --package-lock-only`
command. However, this command can fail for reasons such as a connection
timeout. When this happens, the package-lock files do not get updated.

The problem is this action is also done in the same job as generating
the changelog and creating the GitHub release. This operations cannot be
re-done. As a result, we cannot simply re-run this job and try updating
the package-lock files again.

This PR changes the workflow to split the package-lock update out to its
own job. In the event that this job fails, we can re-run only this job
and leave the other jobs untouched.