fix(ci): remove --provenance

[ryoppippi]

Summary by cubic

Switched the release workflow to pack with pnpm and publish the tarball with npm, removing --provenance to fix CI publish failures.

^{Written for commit c3f8462. Summary will update automatically on new commits.}

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/StackOneHQ/stackone-ai-node/@stackone/ai@242

commit: c3f8462

[cubic-dev-ai]

No issues found across 1 file

[Copilot]

Pull request overview

This PR modifies the CI/CD release workflow to address issues with the --provenance flag during npm publishing. The changes switch from direct pnpm publish to a two-step process of packing and then publishing with npm, remove the problematic --provenance flag, and add Node.js to the Nix development environment.

Key changes:

• Removed the preinstall script that enforced pnpm usage
• Added nodejs_24 to the Nix development shell
• Changed the release workflow to pack with pnpm and publish with npm, removing the --provenance flag

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
package.json	Removed the preinstall script that enforced pnpm as the package manager
flake.nix	Added nodejs_24 to the development environment buildInputs
.github/workflows/release.yaml	Split publishing into separate pack and publish steps, switching from pnpm to npm and removing the --provenance flag

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The prepack script references scripts.preinstall, which was just removed on the line above. This will cause the npm pkg delete command to fail silently or produce an error since it's trying to delete a non-existent script. Either remove the npm pkg delete scripts.preinstall part from this script or keep the preinstall script.

Suggested change

	"prepack": "npm pkg delete scripts.preinstall && pnpm run build",
	"prepack": "pnpm run build",

[Copilot]

The workflow switches from using pnpm to npm for publishing. The pack step uses pnpm, but the publish step uses npm. This inconsistency could lead to confusion and potential issues. Consider using the same package manager for both operations, or document why different tools are being used. Additionally, the prepack script in package.json is designed to work with pnpm, so using npm publish directly on the tarball bypasses the package manager alignment.

[Copilot]

The removal of the --provenance flag eliminates npm's provenance attestation feature, which provides cryptographic verification of the package's origin and build process. This reduces supply chain security by removing the ability for consumers to verify that the published package was built in the expected CI environment. The id-token: write permission on line 28 suggests provenance was intentionally configured. If --provenance was removed due to errors, consider investigating and fixing the underlying issue rather than removing this security feature.

Suggested change

	npm publish "$PACKAGE_TGZ" --access public
	npm publish "$PACKAGE_TGZ" --access public --provenance

[Copilot]

The command uses head -n 1 to select the first tarball, which could select an unexpected file if multiple .tgz files exist in the directory. Consider adding error handling to verify exactly one tarball exists, or use a more specific pattern like finding the tarball with the expected package name format.