Disable npm provenance to fix publishing issue

Co-authored-by: empeje <[email protected]>

Author: Copilot

.github/PUBLISHING.md

@@ -1,25 +1,21 @@
 # NPM Publishing Setup
 
-This repository is configured to use NPM's [Trusted Publishers](https://docs.npmjs.com/trusted-publishers) feature with OIDC authentication via GitHub Actions.
+This repository is configured to publish packages to NPM via GitHub Actions using a standard NPM authentication token.
 
 ## How It Works
 
-When a new release is created on GitHub, the workflow automatically publishes the package to NPM using short-lived OIDC tokens instead of long-lived NPM tokens. This provides better security and includes cryptographic provenance attestations.
+When a new release is created on GitHub, the workflow automatically publishes the package to NPM using the NPM_TOKEN secret.
 
 ## Setup Instructions
 
-To complete the trusted publisher configuration, a package maintainer needs to:
+To configure NPM publishing, a package maintainer needs to:
 
-1. Go to [npmjs.com](https://www.npmjs.com) and log in
-2. Navigate to the package: [@kulkul/tinyurl-client](https://www.npmjs.com/package/@kulkul/tinyurl-client)
-3. Go to **Settings** → **Publishing** (or access directly at: `https://www.npmjs.com/package/@kulkul/tinyurl-client/access`)
-4. Click **"Add trusted publisher"**
-5. Configure with these details:
-   - **Provider**: GitHub Actions
-   - **Organization**: `kulkultech`
-   - **Repository**: `tinyurl-client`
-   - **Workflow**: `test-and-publish.yml`
-   - **Environment**: Leave blank (not using deployment environments)
+1. Generate an NPM automation token at [npmjs.com](https://www.npmjs.com)
+2. Add the token as a GitHub secret:
+   - Go to repository **Settings** → **Secrets and variables** → **Actions**
+   - Click **"New repository secret"**
+   - Name: `NODE_AUTH_TOKEN`
+   - Value: Your NPM automation token
 
 ## Publishing a New Version
 
@@ -29,19 +25,18 @@ To complete the trusted publisher configuration, a package maintainer needs to:
 4. The GitHub Actions workflow will automatically:
    - Run tests
    - Build the package
-   - Publish to NPM with provenance attestations
+   - Publish to NPM
 
 ## Benefits
 
-- 🔒 **Enhanced Security**: No long-lived NPM tokens stored as secrets
-- ✅ **Provenance**: Cryptographic proof of where and how the package was built
 - 🤖 **Automated**: Fully automated publishing on release creation
-- 🔍 **Transparent**: Build logs and provenance are publicly verifiable
+- ✅ **Tested**: Package is only published after tests pass
+- 🔍 **Transparent**: Build logs are publicly available
 
 ## Troubleshooting
 
 If publishing fails:
-1. Ensure the trusted publisher is configured on npmjs.com
-2. Verify the repository, workflow name, and organization match exactly
+1. Ensure the `NODE_AUTH_TOKEN` secret is configured correctly
+2. Verify the NPM token has appropriate permissions
 3. Check that the release was created (not just a tag)
 4. Review the GitHub Actions logs for detailed error messages

.github/workflows/test-and-publish.yml

@@ -35,9 +35,6 @@ jobs:
     needs: test
     runs-on: ubuntu-latest
     if: github.event_name == 'release' && github.event.action == 'created'
-    permissions:
-      contents: read
-      id-token: write
     steps:
       - uses: actions/checkout@v3
 
@@ -55,4 +52,6 @@ jobs:
         run: yarn build
 
       - name: Publish to NPM
-        run: npm publish --provenance --access public
+        run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}