fix(publish): use npm publish so the auth token actually gets used

[sigmachirality]

Context

Follow-up to #41. After pinning yarn's registry to npmjs.org, the v0.1.0-alpha.29 publish still failed:

+ yarn publish --tag latest --registry https://registry.npmjs.org
info Current version: 0.1.0-alpha.29
[3/4] Publishing...
error Couldn't publish package: "https://registry.npmjs.org/@sfcompute%2fnodes-sdk-alpha: Not found"

yarn publish is not picking up the _authToken entry that npm config set //registry.npmjs.org/:_authToken "$NPM_TOKEN" writes at the top of bin/publish-npm — so the PUT goes out unauthenticated and the npm registry replies with 404 (instead of 401). Verified locally that unauthenticated curl -X PUT https://registry.npmjs.org/@sfcompute%2fnodes-sdk-alpha returns 404.

Description of changes

Swap yarn publish for npm publish in bin/publish-npm. npm publish reads the same ~/.npmrc that npm config set populated, so the bearer token actually goes out with the request.

package.json already has publishConfig.access = "public", so no --access public flag is needed.

Testing

Like #41 — can only be exercised in CI. After this lands:

1. Re-run the Publish NPM workflow against main (HEAD has the right version: 0.1.0-alpha.29).
2. Confirm with npm view @sfcompute/nodes-sdk-alpha version — should jump from 0.1.0-alpha.27 to 0.1.0-alpha.29.

Review Callouts

1. Problem: Release workflow still silently fails after fix(publish): pin yarn publish to registry.npmjs.org #41 because yarn 1.x publish doesn't respect the npm authToken format the script writes.
2. API/CLI/Frontend impact: None at runtime. CI only.
3. Observability: None.
4. Unhappy path: If the npm token itself is invalid, npm publish will fail with a clear 401 Unauthorized instead of a misleading 404.

Tag @indent to continue the conversation here.

[semanticdiff-com]

Review changes with  

[indent]

PR Summary

Switches the npm release script from yarn publish to npm publish so the bearer token written via npm config set to ~/.npmrc is actually attached to the publish PUT, unblocking releases that were failing with 404 Not Found (e.g. v0.1.0-alpha.28/29). yarn 1.x's publish was silently dropping the _authToken entry, which masqueraded as a missing-package error. The accompanying comment is rewritten to explain the auth-token root cause instead of the registry-mirror issue addressed in #41.

• bin/publish-npm: replace yarn publish --tag "$TAG" --registry https://registry.npmjs.org with npm publish --tag "$TAG" (npm defaults to registry.npmjs.org and publishConfig.access: "public" is inherited into dist/package.json, so no --registry/--access flag is needed).
• Update the surrounding comment to document the yarn-auth issue and reference the prior failed releases.

Issues

No issues found.

CI Checks

All CI checks passed for commit 04a5fb7.