Remove npm provenance

[mshriver]

would like to use it but just get 404's with it enabled and GH configured as a trusted publisher

Summary by Sourcery

CI:

• Update GitHub Actions publish workflow to drop the --provenance flag from npm publish to avoid 404 issues.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR updates the npm publish workflow to disable the provenance feature, keeping the rest of the publishing process unchanged.

Flow diagram for updated npm publish workflow without provenance

flowchart TD
  trigger[GitHub_Actions_Trigger push_tag_release]
  job[Job publish]
  checkout[Step actions_checkout]
  setupNode[Step setup_Node]
  installDeps[Step yarn_install]
  build[Step yarn_build]
  publish[Step npm_publish_access_public]
  npmRegistry[NPM_Registry]

  trigger --> job
  job --> checkout
  checkout --> setupNode
  setupNode --> installDeps
  installDeps --> build
  build --> publish
  publish -->|npm publish --access public
NODE_AUTH_TOKEN from secrets.NPM_TOKEN| npmRegistry

Loading

File-Level Changes

Change	Details	Files
Disable npm provenance in the GitHub Actions publish workflow while retaining public access publishing.	Update the npm publish command to remove the provenance flag Ensure the publish step still uses public access and the existing auth token environment variable	.github/workflows/publish.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.43%. Comparing base (79055b9) to head (659856b).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main       #4   +/-   ##
=======================================
  Coverage   92.43%   92.43%           
=======================================
  Files           4        4           
  Lines         251      251           
  Branches       61       61           
=======================================
  Hits          232      232           
  Misses         19       19           

Flag	Coverage Δ
unittests	92.43% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 79055b9...659856b. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• Consider adding a brief comment in the workflow near the publish step explaining why --provenance is disabled, so future changes don’t accidentally reintroduce it and break publishing again.
• If you expect to re-enable provenance later, you might parameterize the flag via an input or environment variable so it can be toggled per-run or per-environment without editing the workflow.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider adding a brief comment in the workflow near the publish step explaining why `--provenance` is disabled, so future changes don’t accidentally reintroduce it and break publishing again.
- If you expect to re-enable provenance later, you might parameterize the flag via an input or environment variable so it can be toggled per-run or per-environment without editing the workflow.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

This PR removes the --provenance flag from the npm publish command to work around 404 errors encountered during package publishing, despite having GitHub configured as a trusted publisher.

Key Changes:

• Removes --provenance flag from the npm publish command while retaining --access public

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.