fix: use correct registry for npm OIDC trusted publishing

kulshekhar · kulshekhar · commit f8a9cc98924b · 2026-04-01T20:34:16.000+05:30
Remove --registry https://npmjs.org override which pointed at the wrong domain, breaking the OIDC token exchange. npm publish now uses the correct https://registry.npmjs.org configured by setup-node. Also add --provenance flag for explicit provenance attestation.
diff --git a/.github/workflows/release-and-publish.yml b/.github/workflows/release-and-publish.yml
@@ -93,9 +93,9 @@ jobs:
         # This will tell npm to publish your scoped package with public access
       - name: Publish with latest tag
         if: ${{ needs.setup_variables.outputs.isLatest == 'true' }}
-        run: npm publish --access public --registry https://npmjs.org
+        run: npm publish --provenance --access public
 
       - name: Publish with next tag
         if: ${{ needs.setup_variables.outputs.isLatest != 'true' }}
-        run: npm publish --access public --tag next --registry https://npmjs.org
+        run: npm publish --provenance --access public --tag next
 
