fix(ci): add NPM_TOKEN for npm publish authentication

[bbopen]

Summary

• Adds NODE_AUTH_TOKEN environment variable using NPM_TOKEN secret for npm publish step
• Fixes E404 error when publishing to npm registry
• Keeps --provenance flag for supply chain security

Root Cause

The OIDC trusted publishing alone doesn't work when actions/setup-node@v4 is configured with registry-url. The action creates an .npmrc that expects NODE_AUTH_TOKEN to be set, but we weren't providing it.

Test plan

• CI tests pass
• Re-run publish workflow for v0.1.2 tag after merging

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Walkthrough

The publish workflow configuration is updated to use explicit token-based authentication for NPM publishing and GitHub releases, replacing a no-token provenance approach by adding environment variable configurations for NODE_AUTH_TOKEN and GITHUB_TOKEN.

Changes

Cohort / File(s)	Summary
Workflow Authentication Configuration .github/workflows/publish.yml	Adds environment variable blocks to Publish to npm and GitHub Release steps, enabling token-based authentication via NODE_AUTH_TOKEN and GITHUB_TOKEN from secrets

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A token here, a token there,
Our workflow hops with newfound care!
NPM and GitHub, now secured tight,
Authentication shines so bright! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding NPM_TOKEN for npm publish authentication in the CI workflow.
Description check	✅ Passed	The description is directly related to the changeset, explaining the purpose, root cause, and testing approach for the npm authentication fix.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1b481a1 and c9fdc4a.

📒 Files selected for processing (1)

• .github/workflows/publish.yml

🔇 Additional comments (1)

.github/workflows/publish.yml (1)

174-179: Scoped token for publish step is correct.

Setting NODE_AUTH_TOKEN only for the publish step limits secret exposure and aligns with actions/setup-node’s registry auth expectations.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}