revert: drop GH Packages mirror, keep single canonical install path

[rohitg00]

Reverts the GH Packages publish from #545.

Why

GitHub Packages is a separate registry from npmjs.com. Installing @rohitg00/agentmemory from npm.pkg.github.com requires the user to point their registry there + authenticate — that's real friction users don't hit on the canonical @agentmemory/agentmemory install from public npm.

The right-sidebar Packages widget on the repo page was the only motivation for the mirror. Better DX = single canonical install path. Sidebar widget stays empty; acceptable trade.

Diff

- publish-github-packages job in .github/workflows/publish.yml
- packages: write permission references in the workflow comment block
- GitHub Packages mirror badge from README

+2 / -54 across 2 files.

Manual follow-up post-merge

Delete the already-published @rohitg00/agentmemory@0.9.20 from GH Packages so the URL stops resolving:

• https://github.com/users/rohitg00/packages/npm/agentmemory/settings → Manage versions → delete 0.9.20
• Or delete the package entirely → Settings → Delete this package

Out of scope

Sponsor button surface (FUNDING.yml + #547) stays as-is — that part of #545 is unrelated and working.

Summary by CodeRabbit

• Documentation

  • Updated README status badges to reflect npm registry distribution focus

• Chores

  • Streamlined publishing workflow to consolidate on npm registry as primary distribution channel

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agentmemory	Ready	Preview, Comment	May 19, 2026 5:57pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 47d9f839-63d2-4a78-9263-f54fd47b04f9

📥 Commits

Reviewing files that changed from the base of the PR and between 6ed47c1 and efd0f64.

📒 Files selected for processing (2)

• .github/workflows/publish.yml
• README.md

💤 Files with no reviewable changes (1)

• README.md

---

📝 Walkthrough

Walkthrough

The PR removes GitHub Packages publishing, tightens workflow permissions by scoping id-token: write to the npm publish job for OIDC minting, and updates README badges from GitHub Packages to npm-focused shields.

Changes

Publishing Security and Documentation

Layer / File(s)	Summary
Publish workflow permissions and status badges .github/workflows/publish.yml, README.md	Workflow permissions clarified to grant only contents: read at the top level, with id-token: write scoped to the npm publish job for OIDC provenance minting. README badges updated to remove the GitHub Packages mirror reference and add npm version and downloads shields.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• rohitg00/agentmemory#545: Both PRs modify the same .github/workflows/publish.yml logic around OIDC and GitHub Packages publishing—the related PR introduces the GitHub Packages job while this PR removes it and adjusts permissions accordingly.

Poem

A bunny hops with npm gear,
GitHub Packages disappear,
Permissions trimmed to what's precise,
Badges shine, oh so nice! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'revert: drop GH Packages mirror, keep single canonical install path' directly summarizes the main changes: removing GitHub Packages publishing and maintaining npm as the sole install source.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/gh-packages-redirect-readme

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}