fix(ci): restore token auth with provenance for npm publishing

OIDC provenance does not replace token authentication — npm
requires a token to authorize the publish request. Provenance
adds a signed attestation and the trusted publisher config on
npmjs.com makes it mandatory.

Restore registry-url and NODE_AUTH_TOKEN from NPM_TOKEN secret.
Use a granular access token which bypasses 2FA (unlike classic
tokens that require OTP).

Author: iamfj

.github/workflows/publish.yml

@@ -44,12 +44,11 @@ jobs:
           fi
           echo "Version check passed: $PACKAGE_VERSION"
 
-      # Do not use registry-url — it creates an .npmrc with a token
-      # placeholder that would bypass OIDC trusted publishing.
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: "22"
+          registry-url: "https://registry.npmjs.org"
 
       - name: Clean install
         run: npm install
@@ -62,6 +61,8 @@ jobs:
 
       - name: Publish to npm
         run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Verify publish success
         run: |