fix(ci): scrub CodeArtifact registry= line before npm publish

.github/workflows/publish.yml

@@ -99,7 +99,26 @@ jobs:
       - name: Build
         run: pnpm build
 
+      # `aws codeartifact login` (above) writes a top-level `registry=`
+      # line to the runner's ~/.npmrc that overrides setup-node's
+      # `registry-url` and routes EVERYTHING to CodeArtifact — including
+      # `npm publish`. Per `feedback_codeartifact_login_global_registry_trap`,
+      # scrub that line so publish targets public npm. The scoped
+      # `@openloop:registry=` line stays (the eslint-config devDep is
+      # already installed; not needed for publish, but harmless).
+      - name: Scrub global registry= line written by CodeArtifact login
+        run: |
+          if [ -f "$HOME/.npmrc" ]; then
+            sed -i.bak '/^registry=https:\/\/openloop-.*\.codeartifact\..*\.amazonaws\.com\//d' "$HOME/.npmrc"
+            rm -f "$HOME/.npmrc.bak"
+          fi
+          echo "Scrubbed ~/.npmrc — current contents (auth tokens redacted):"
+          sed 's/_authToken=.*/_authToken=<redacted>/' "$HOME/.npmrc" || true
+
       - name: Publish to public npm
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: npm publish --access public --provenance
+        # Explicit `--registry` belt-and-suspenders alongside the scrub
+        # step above, so a future Actions runner-image change to ~/.npmrc
+        # cannot accidentally re-route the publish.
+        run: npm publish --access public --provenance --registry https://registry.npmjs.org/