fix(gitea): fix publish auth — scoped registry + proxy=false in .npmrc

Root causes found:
1. publishConfig.registry in each package.json overrides --registry CLI
   flag, causing npm to hit gitea.bytelyst.com through corp proxy.
2. Global ~/.npmrc proxy settings (NPM_CONFIG_PROXY env vars) route
   localhost:3300 through the corporate proxy.
3. No .npmrc with auth token was created for npm publish to use.

Fix: generate a proper .npmrc in WORK_DIR with:
- _authToken for registry auth
- @bytelyst:registry scoped override (bypasses publishConfig)
- proxy=false + https-proxy=false on corp network
- Unified corp/home publish path (both use same .npmrc)

Token scope issue still open: current GITEA_NPM_TOKEN has read:package
but not write:package — needs regeneration in Gitea UI.

scripts/gitea/publish-outdated-packages.sh

@@ -88,6 +88,18 @@ SKIP_DIRS="swift-platform-sdk swift-diagnostics kotlin-platform-sdk react-native
 trap 'rm -rf "$WORK_DIR"' EXIT
 mkdir -p "$WORK_DIR"
 
+# Write .npmrc with auth token + scoped registry so npm publish bypasses publishConfig
+NPMRC_FILE="$WORK_DIR/.npmrc"
+{
+  printf '//%s:_authToken=%s\n' "$AUTH_TARGET" "$TOKEN"
+  # Override publishConfig.registry in package.json (npm uses scoped registry first)
+  printf '@bytelyst:registry=%s\n' "$REGISTRY_URL"
+  if [ "$IS_CORP" = true ]; then
+    # Disable proxy for localhost (global ~/.npmrc has corp proxy)
+    printf 'proxy=false\nhttps-proxy=false\n'
+  fi
+} > "$NPMRC_FILE"
+
 # ── Helpers ────────────────────────────────────────────────
 
 pkg_field() {
@@ -230,27 +242,20 @@ publish_package() {
   # Step 3: publish to Gitea registry.
   # Run from WORK_DIR (in /tmp with .npmrc for auth) so npm won't find
   # the repo's .npmrc which has @bytelyst:registry pointing externally.
-  if [ "$IS_CORP" = true ]; then
-    # Corp: unset ALL proxy/registry env vars so npm goes directly to localhost
-    if ! (cd "$WORK_DIR" && env \
-      -u http_proxy -u https_proxy -u HTTP_PROXY -u HTTPS_PROXY \
-      -u npm_config_proxy -u npm_config_https_proxy \
-      -u NPM_CONFIG_PROXY -u NPM_CONFIG_HTTPS_PROXY \
-      -u NPM_CONFIG_REGISTRY -u NPM_CONFIG_STRICT_SSL \
-      -u NPM_CONFIG_NOPROXY \
-      -u NODE_TLS_REJECT_UNAUTHORIZED \
-      npm publish "$final_tgz" \
-      --registry "$REGISTRY_URL" 2>&1); then
-      echo "    ERROR: publish failed for $pkg_name@$pkg_version"
-      return 1
-    fi
-  else
-    # Home: publish directly to Azure VM Gitea (no proxy stripping needed)
-    if ! (cd "$WORK_DIR" && npm publish "$final_tgz" \
-      --registry "$REGISTRY_URL" 2>&1); then
-      echo "    ERROR: publish failed for $pkg_name@$pkg_version"
-      return 1
-    fi
+  # Publish using shared .npmrc (has auth, scoped registry, and proxy=false on corp)
+  # Strip all proxy/registry env vars so only .npmrc settings apply
+  if ! (cd "$WORK_DIR" && env \
+    -u http_proxy -u https_proxy -u HTTP_PROXY -u HTTPS_PROXY \
+    -u npm_config_proxy -u npm_config_https_proxy \
+    -u NPM_CONFIG_PROXY -u NPM_CONFIG_HTTPS_PROXY \
+    -u NPM_CONFIG_REGISTRY -u NPM_CONFIG_STRICT_SSL \
+    -u NPM_CONFIG_NOPROXY \
+    -u NODE_TLS_REJECT_UNAUTHORIZED \
+    npm publish "$final_tgz" \
+    --registry "$REGISTRY_URL" \
+    --userconfig "$NPMRC_FILE" 2>&1); then
+    echo "    ERROR: publish failed for $pkg_name@$pkg_version"
+    return 1
   fi
 }