remove npm provenance

[mshriver]

Would rather publish with provenance but am seeing 404s on publish through the pipelines, for a package that is absolutely in the registry.

Summary by Sourcery

CI:

• Update npm publish GitHub Actions workflow to publish without the --provenance flag to avoid pipeline publish failures.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR updates the npm publish GitHub Actions workflow to stop using the --provenance flag, addressing publish failures while keeping public access and authentication unchanged.

Flow diagram for updated npm publish pipeline without provenance

graph TD
  A["Workflow Trigger (e.g., push or release)"] --> B["Start npm-publish Job"]
  B --> C["Checkout repository"]
  C --> D["Setup Node.js environment"]
  D --> E["Install dependencies with yarn"]
  E --> F["Build project with yarn build"]
  F --> G["Set NODE_AUTH_TOKEN from NPM_TOKEN secret"]
  G --> H["Run npm publish --access public"]
  H --> I["Package published to npm Registry"]

Loading

File-Level Changes

Change	Details	Files
Adjust npm publish step in the GitHub Actions workflow to remove provenance while preserving publish behavior.	Update the npm publish command to drop the --provenance flag Retain the --access public option to continue publishing as a public package Keep NODE_AUTH_TOKEN environment configuration unchanged for npm authentication	.github/workflows/npm-publish.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• Consider adding a brief comment in the workflow near the publish step explaining why the --provenance flag is disabled, so future maintainers understand this is intentional and related to current pipeline 404 issues.
• You might want to gate the use of --provenance behind an input, env var, or matrix option so it can be re-enabled or experimented with in specific branches or workflows without another code change.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider adding a brief comment in the workflow near the publish step explaining why the --provenance flag is disabled, so future maintainers understand this is intentional and related to current pipeline 404 issues.
- You might want to gate the use of --provenance behind an input, env var, or matrix option so it can be re-enabled or experimented with in specific branches or workflows without another code change.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

This PR removes the --provenance flag from the npm publish command in the GitHub Actions workflow to work around 404 errors encountered during publishing.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Since --provenance has been removed from the publish command, the id-token: write permission on line 12 is no longer necessary. Consider removing it from the permissions block to follow the principle of least privilege, as it's specifically required for npm provenance publishing.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.19%. Comparing base (421281c) to head (3a98c33).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #13      +/-   ##
==========================================
+ Coverage   53.26%   60.19%   +6.92%     
==========================================
  Files          51       51              
  Lines        2050     2050              
  Branches      512      524      +12     
==========================================
+ Hits         1092     1234     +142     
+ Misses        956      816     -140     
+ Partials        2        0       -2     

Flag	Coverage Δ
unittests	60.19% <ø> (+6.92%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 12 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 421281c...3a98c33. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.