From 85b7e9737c53a274d6a829f36cee6c307f20dab9 Mon Sep 17 00:00:00 2001
From: justsisyphus <justsisyphus@users.noreply.github.com>
Date: Thu, 22 Jan 2026 10:49:20 +0900
Subject: [PATCH] fix(publish): disable provenance for platform packages via
 env override

NPM_CONFIG_PROVENANCE env var was overriding useProvenance=false in code.
Now explicitly sets NPM_CONFIG_PROVENANCE=false for platform packages
to prevent OIDC token expiration during large binary uploads.
---
 script/publish.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/script/publish.ts b/script/publish.ts
index 46300109a..6ed243d94 100644
--- a/script/publish.ts
+++ b/script/publish.ts
@@ -208,9 +208,10 @@ async function publishPackage(cwd: string, distTag: string | null, useProvenance
 
   const tagArgs = distTag ? ["--tag", distTag] : []
   const provenanceArgs = process.env.CI && useProvenance ? ["--provenance"] : []
+  const env = useProvenance ? {} : { NPM_CONFIG_PROVENANCE: "false" }
   
   try {
-    await $`npm publish --access public --ignore-scripts ${provenanceArgs} ${tagArgs}`.cwd(cwd)
+    await $`npm publish --access public --ignore-scripts ${provenanceArgs} ${tagArgs}`.cwd(cwd).env({ ...process.env, ...env })
     return { success: true }
   } catch (error: any) {
     const stderr = error?.stderr?.toString() || error?.message || ""