fix(ci): fall back to NPM_TOKEN for publish

Trusted Publisher (OIDC) config was returning 404 on PUT for the
v0.2.5 release — npm masks permission denial as 404 to prevent
package enumeration. The NPM_TOKEN secret is still configured in
the repo (registered 2026-03-09); restore it as the auth source.

The Trusted Publisher binding can be re-enabled later by confirming
the workflow filename + repo + ref pattern still match what's
configured at npmjs.com/package/@sharp-api/client/access. Until
then, NPM_TOKEN is the path of least surprise.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Mlaz-code

.github/workflows/publish.yml

@@ -54,12 +54,14 @@ jobs:
         # Only publish on an actual release event. workflow_dispatch
         # runs through test+build as a dry run but must not upload.
         #
-        # Trusted publishing (OIDC): npm picks up the GitHub OIDC token
-        # automatically when no _authToken is configured. The trust is
-        # registered at
+        # Auth: NPM_TOKEN secret. The Trusted Publisher (OIDC) config at
         #   https://www.npmjs.com/package/@sharp-api/client/access
-        # (Trusted Publishers → Sharp-API/sharpapi-ts → publish.yml).
-        # Drops the long-lived NPM_TOKEN secret that previously backed
-        # this step. --provenance still emits the SLSA attestation.
+        # was returning 404 on PUT for v0.2.5 (silent permission denial),
+        # so we fall back to the long-lived NPM_TOKEN. Re-enable OIDC by
+        # confirming the Trusted Publisher binding still maps to this
+        # workflow filename + repo + ref pattern after any rename.
+        # --provenance still emits the SLSA attestation either way.
         if: github.event_name == 'release'
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm publish --provenance --access public