npm provenance signing fails under Bun's BoringSSL with
ERR_OSSL_NO_DEFAULT_DIGEST (OPENSSL_internal:NO_DEFAULT_DIGEST) — the
publish reaches 'Publishing ... with public access' then dies in the
sigstore signing step. Provenance is a supply-chain nicety, not a
publish requirement, so disable it for this token-based fallback.

Disabled in BOTH sources so npm config precedence is irrelevant:
  - workflow env NPM_CONFIG_PROVENANCE: 'false'
  - packages/components/package.json publishConfig.provenance: false

Restore provenance when migrating back to the OIDC release.yaml path,
which runs under Node with a working sigstore toolchain.