fix(package): add repository field so npm provenance validation passes

[ylabonte]

Summary

The 1.1.0 release retried after PR #15 merged (run 25933850004) and failed with HTTP 422 from npm:

🦋  error npm error 422 Unprocessable Entity - PUT https://registry.npmjs.org/github-actions-updater
- Error verifying sigstore provenance bundle: Failed to validate repository information:
  package.json: "repository.url" is "",
  expected to match "https://github.com/ylabonte/github-actions-updater" from provenance

OIDC trusted publishing itself worked end-to-end on that run — No NPM_TOKEN found, but OIDC is available - using npm trusted publishing, and the provenance statement was even signed and pushed to the sigstore transparency log (logIndex 1549566161). npm then rejected the publish at the cross-check between package.json#repository.url and the GitHub URL it had just attested to. The field was missing entirely, so the comparison was "" != "https://github.com/ylabonte/github-actions-updater" → 422.

The 1.0.0 publish slipped past this because that one didn't carry provenance (it was the NPM_TOKEN bootstrap path, no NPM_CONFIG_PROVENANCE=true). 1.1.0 is the first run with provenance on, so this is the first time the cross-check has actually run.

Fix

Add the canonical repository object to package.json:

"repository": {
  "type": "git",
  "url": "git+https://github.com/ylabonte/github-actions-updater.git"
}

That's the only repo-side change required. release.yml is already correctly configured for OIDC trusted publishing with provenance.

Note on PR #15

The previous PR removed registry-url: from setup-node on the theory it was breaking OIDC. The log shows OIDC was already working fine on that path (the provenance bundle minted and signed end-to-end), so the change was a no-op for THIS failure. It's still aligned with npm's docs as future hygiene, so leaving it merged. Apologies for shipping it confidently as THE fix without log access to confirm.

No changeset: publish-metadata fix, not a user-visible behavior change.

Test plan

• Local: pnpm format:check, pnpm lint, pnpm typecheck, pnpm test (231 tests) — all green.
• Merge this PR. The push fires release.yml. changesets/action finds no remaining changesets, sees 1.1.0 is still unpublished on npm, runs pnpm release again. With repository.url now present and matching the attested URL, the provenance cross-check passes; github-actions-updater@1.1.0 lands on npm with provenance; the v1 floating tag force-moves.
• If publish still fails, the failure mode will be different this time, which is progress.

---

Generated by Claude Code