From fefa34033f690e47eb84ebf80dd37be2d9ff6d48 Mon Sep 17 00:00:00 2001
From: bntvllnt <32437578+bntvllnt@users.noreply.github.com>
Date: Sun, 26 Apr 2026 22:03:35 +0200
Subject: [PATCH 1/2] fix(ci): remove registry-url to stop GitHub token
 injection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

actions/setup-node@v4 defaults token: to github.token, which sets
NODE_AUTH_TOKEN to the GitHub Actions token — not an npm token. npm
then tried to authenticate with npmjs.org using a GitHub token, causing
E404. Removing registry-url prevents setup-node from creating the .npmrc
and injecting any token, letting OIDC trusted publisher auth work cleanly
via --provenance.
---
 .github/workflows/publish.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0d675fb..c27fb5d 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -71,7 +71,6 @@ jobs:
         with:
           node-version: 22
           cache: pnpm
-          registry-url: https://registry.npmjs.org
 
       - run: pnpm install --frozen-lockfile
 
@@ -107,7 +106,6 @@ jobs:
         with:
           node-version: 22
           cache: pnpm
-          registry-url: https://registry.npmjs.org
 
       - run: pnpm install --frozen-lockfile
 

From 34f41767ad01d2b908745f9d3df2abe4518d826d Mon Sep 17 00:00:00 2001
From: bntvllnt <32437578+bntvllnt@users.noreply.github.com>
Date: Sun, 26 Apr 2026 22:05:41 +0200
Subject: [PATCH 2/2] =?UTF-8?q?fix(ci):=20align=20publish=20with=20ui=20?=
 =?UTF-8?q?=E2=80=94=20pnpm=20pack=20+=20npx=20npm@latest?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mirror the pattern from the ui repo:
- Keep registry-url so setup-node creates .npmrc
- sed + unset to strip the injected GitHub token
- pnpm pack to build the tarball
- npx --yes npm@latest to publish via latest npm on-the-fly
  (avoids the broken npm install -g npm@latest on the runner)
---
 .github/workflows/publish.yml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index c27fb5d..7e65ddf 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -71,6 +71,7 @@ jobs:
         with:
           node-version: 22
           cache: pnpm
+          registry-url: https://registry.npmjs.org
 
       - run: pnpm install --frozen-lockfile
 
@@ -78,11 +79,14 @@ jobs:
 
       - name: Publish canary
         run: |
+          sed -i '/_authToken/d' "$NPM_CONFIG_USERCONFIG"
+          unset NODE_AUTH_TOKEN
           BASE_VERSION=$(node -p "require('./package.json').version")
           SHORT_SHA=$(echo "$GITHUB_SHA" | cut -c1-7)
           CANARY_VERSION="${BASE_VERSION}-canary.${SHORT_SHA}"
           npm version "$CANARY_VERSION" --no-git-tag-version --ignore-scripts
-          npm publish --tag canary --provenance --access public --ignore-scripts
+          TARBALL=$(pnpm pack --pack-destination /tmp | tail -1)
+          npx --yes npm@latest publish "$TARBALL" --tag canary --provenance --access public
 
   release:
     name: Publish Release
@@ -106,6 +110,7 @@ jobs:
         with:
           node-version: 22
           cache: pnpm
+          registry-url: https://registry.npmjs.org
 
       - run: pnpm install --frozen-lockfile
 
@@ -166,7 +171,10 @@ jobs:
 
       - name: Publish to npm
         run: |
-          npm publish --tag latest --provenance --access public --ignore-scripts
+          sed -i '/_authToken/d' "$NPM_CONFIG_USERCONFIG"
+          unset NODE_AUTH_TOKEN
+          TARBALL=$(pnpm pack --pack-destination /tmp | tail -1)
+          npx --yes npm@latest publish "$TARBALL" --tag latest --provenance --access public
 
       - name: Create GitHub Release
         env: