From 2d71254a2ed8ce0b0d2561fe576ea49fd60325ea Mon Sep 17 00:00:00 2001
From: Cristian Arrieta <cristian@ubidots.com>
Date: Wed, 7 Jan 2026 12:37:42 -0500
Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=94=A7=20[PB-1278]=20Switch=20to=20tr?=
 =?UTF-8?q?aditional=20npm=20token=20authentication=20(#24)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After 4 failed attempts with OIDC trusted publishing (#20, #21, #22, #23),
we're switching to the more reliable traditional npm token authentication.

Changes:
- Add registry-url back to setup-node
- Add NODE_AUTH_TOKEN env using NPM_TOKEN secret
- Bump version to 0.2.12
- Keep --provenance flag for supply chain security

Required setup:
1. Create npm automation token at https://www.npmjs.com/settings/[username]/tokens/create
2. Add as GitHub secret: NPM_TOKEN

Benefits:
✅ Battle-tested and reliable
✅ Still supports provenance attestation
✅ No OIDC configuration issues

Trade-offs:
⚠️ Requires manual token management
⚠️ Token needs rotation
---
 .github/workflows/deploy.yml | 3 +++
 package.json                 | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index cab6c91..a906d90 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -60,6 +60,7 @@ jobs:
         with:
           node-version: 22
           cache: 'pnpm'
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -76,6 +77,8 @@ jobs:
 
       - name: Publish to NPM
         run: npm publish --access public --tag ${{ steps.version.outputs.tag }} --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
diff --git a/package.json b/package.json
index aee87ae..a23a6cc 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@ubidots/react-html-canvas",
-  "version": "0.2.11",
+  "version": "0.2.12",
   "description": "React library to interact with Ubidots Dashboards from HTML Canvas widgets (Provider + hooks + actions)",
   "license": "MIT",
   "author": "Ubidots",

From c293d40a1d065105edb2956e2b1f1c64df8a4eec Mon Sep 17 00:00:00 2001
From: Cristian Arrieta <cristian@ubidots.com>
Date: Wed, 7 Jan 2026 13:21:18 -0500
Subject: [PATCH 2/2] fix: remove --provenance flag (incompatible with
 NODE_AUTH_TOKEN)

---
 .github/workflows/deploy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index a906d90..f575eaa 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -76,7 +76,7 @@ jobs:
         run: pnpm run build
 
       - name: Publish to NPM
-        run: npm publish --access public --tag ${{ steps.version.outputs.tag }} --provenance
+        run: npm publish --access public --tag ${{ steps.version.outputs.tag }}
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}