ci: publish via OIDC trusted publishing with provenance

[jaredwray]

Summary

Moves the release workflow from a long-lived NPM_TOKEN to npm OIDC trusted publishing with provenance attestations, removing the stored secret entirely. The whole release pipeline now runs through pnpm.

Changes

.github/workflows/release.yaml

• Removed the NPM_TOKEN env var and the Set NPM Auth Token step that wrote a token into .npmrc.
• The existing id-token: write permission now lets pnpm's native publish exchange the GitHub OIDC token for a short-lived publish token — no secret required.
• Added registry-url: 'https://registry.npmjs.org' to actions/setup-node so the OIDC token exchange targets the npm registry.
• Added --provenance to pnpm publish so signed provenance attestations are generated and published.

package.json

• Added a repository field. npm requires this to generate provenance statements; publish would fail without it.

How it works

pnpm@11.5.2 (pinned via packageManager) uses its native publish implementation, which supports OIDC trusted publishing. When run from GitHub Actions with id-token: write, pnpm detects the OIDC environment and exchanges the token automatically — no NPM_TOKEN needed. With trusted publishing + --provenance, npm publishes provenance attestations linking the package to this repo and workflow run.

⚠️ Required manual step before the next release

A trusted publisher must be configured for @hyphen/react-sdk on npmjs.com (one-time, by a package owner):

1. Go to the package's Settings → Trusted Publisher (https://www.npmjs.com/package/@hyphen/react-sdk/access).
2. Add a GitHub Actions publisher with:
   • Organization/user: Hyphen
   • Repository: react-sdk
   • Workflow filename: release.yaml
   • Environment: (leave blank — the workflow does not use one)

Until this is configured, publishing will fail with a 404 (npm can't match the run to a trusted publisher). No environment changes are needed in this repo beyond what's in this PR.

Notes

• Requirements satisfied: pnpm publish supports --provenance; trusted publishing needs npm/pnpm with OIDC support (pnpm 11.5.2 ✓) and Node ≥ 22.14.0 (workflow uses Node 24 ✓).
• README.md's npm install line is end-user install guidance for consumers and is intentionally unchanged.

https://claude.ai/code/session_01HF9jcEMiFbSCB9eocTmybh

---

Generated by Claude Code

[gemini-code-assist]

Code Review

This pull request updates package.json to include the repository field pointing to the Git repository URL. There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (2038bbb) to head (b937170).

Additional details and impacted files

@@            Coverage Diff            @@
##              main       #50   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            3         3           
  Lines           19        19           
  Branches         1         1           
=========================================
  Hits            19        19           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.