ci+release: drop --provenance for internal repos, v0.1.0-alpha.3

npm rejects provenance bundles when the source GitHub repo is
`internal`-visibility, only `public` repos qualify. The OIDC trusted
publisher auth itself is unaffected — provenance is the separate
sigstore attestation layer. Drop the flag and document re-adding it
if the repo goes public.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: masnwilliams

.github/workflows/release.yaml

@@ -84,14 +84,18 @@ jobs:
       # Stable releases get the default `latest` tag; prereleases land
       # under `alpha` so `npm install @onkernel/managed-auth-react` keeps
       # picking up stable versions only.
+      #
+      # `--provenance` is intentionally omitted: npm requires a public
+      # source repository for provenance attestations and this repo is
+      # `internal`. Re-add `--provenance` if the repo goes public.
       - name: Publish to npm
         working-directory: packages/managed-auth-react
         run: |
           NPM_TAG="latest"
           if [[ "$GITHUB_REF_NAME" == *-* ]]; then
             NPM_TAG="alpha"
           fi
-          npm publish --provenance --access public --tag "$NPM_TAG"
+          npm publish --access public --tag "$NPM_TAG"
 
       - name: Create GitHub release
         env:

packages/managed-auth-react/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@onkernel/managed-auth-react",
-  "version": "0.1.0-alpha.2",
+  "version": "0.1.0-alpha.3",
   "description": "React component library for Kernel managed auth — one-component drop-in with a Clerk-style appearance API",
   "license": "MIT",
   "author": "Kernel Technologies, Inc.",