From 6d2a7a6f0d0afa48d415327505ee9f363031495c Mon Sep 17 00:00:00 2001
From: Daniel Tao <danieltaox@gmail.com>
Date: Mon, 18 May 2026 07:32:00 +0000
Subject: [PATCH] fix(publish): pin yarn publish to registry.npmjs.org

yarn 1.x defaults to https://registry.yarnpkg.com, which is a read-only
npm mirror. The auth token configured at the top of the script targets
registry.npmjs.org, so the publish PUT request was failing with
"Not found" against yarnpkg.com. Recent runs for v0.1.0-alpha.28 and
v0.1.0-alpha.29 both failed for this reason and never made it to npm
(npm latest is stuck at 0.1.0-alpha.27).

Passing --registry https://registry.npmjs.org explicitly forces yarn to
hit the same endpoint the token is scoped to.

After this lands, re-run the Publish NPM workflow against the
v0.1.0-alpha.29 tag to actually publish the release.

Generated with [Indent](https://indent.com)
Co-Authored-By: Indent <noreply@indent.com>
---
 bin/publish-npm | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/bin/publish-npm b/bin/publish-npm
index 45e8aa8..7132dfe 100644
--- a/bin/publish-npm
+++ b/bin/publish-npm
@@ -58,4 +58,10 @@ else
 fi
 
 # Publish with the appropriate tag
-yarn publish --tag "$TAG"
+#
+# Explicit --registry is required because yarn 1.x defaults to
+# https://registry.yarnpkg.com — a read-only npm mirror — and the auth
+# token above is configured for registry.npmjs.org, so the publish PUT
+# fails with "Not found". Recent runs (v0.1.0-alpha.28, v0.1.0-alpha.29)
+# failed for this reason.
+yarn publish --tag "$TAG" --registry https://registry.npmjs.org