From 2a68cd790bde704e3aa89d5e5b383066798cd790 Mon Sep 17 00:00:00 2001
From: Saif Ali Shaik <saif.shaik@scalekit.com>
Date: Fri, 15 May 2026 15:31:46 +0530
Subject: [PATCH] fix: disable provenance for private repo

Private source repos not supported by sigstore provenance.
Explicitly opt out via NPM_CONFIG_PROVENANCE=false.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2c9fe73..faa9a5c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -69,9 +69,11 @@ jobs:
         run: npm install -g npm@11.5.1
 
       - name: Publish to npm
+        env:
+          NPM_CONFIG_PROVENANCE: false
         run: |
           if [ "${{ github.event.release.prerelease }}" = "true" ]; then
-            pnpm publish --no-git-checks --tag next --access public --provenance
+            pnpm publish --no-git-checks --tag next --access public
           else
-            pnpm publish --no-git-checks --tag latest --access public --provenance
+            pnpm publish --no-git-checks --tag latest --access public
           fi