ci: enhance NPM publishing process and update documentation

Author: mrtungdev

.github/workflows/publish.yml

@@ -17,12 +17,17 @@ jobs:
         registry-url: 'https://registry.npmjs.org'
 
     - name: Install dependencies
-      run: npm install
+      run: npm ci
+
+    - name: Verify npm auth (debug)
+      run: npm whoami
+      env:
+        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
     - name: Build
       run: npm run build
 
     - name: Publish to NPM
-      run: npm publish --access public
+      run: npm publish --provenance --access public
       env:
         NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.npmrc

@@ -0,0 +1,3 @@
+//registry.npmjs.org/:_authToken=${NPM_TOKEN}
+registry=https://registry.npmjs.org/
+always-auth=true

PUBLISHING.md

@@ -202,14 +202,29 @@ git push origin develop
 
 1. Generate NPM token:
    - Go to https://www.npmjs.com/settings/YOUR_USERNAME/tokens
-   - Create "Automation" token
+   - Create **"Automation" token** (NOT "Publish" / NOT "Read-only")
    - Copy the token
 
 2. Add to GitHub Secrets:
    - Go to repository Settings → Secrets → Actions
    - Add secret: `NPM_TOKEN`
    - Paste the token
 
+### If `npm publish` fails with `EOTP`
+
+If you see this in GitHub Actions:
+
+```text
+npm error code EOTP
+npm error This operation requires a one-time password from your authenticator.
+```
+
+That means your NPM account requires 2FA for publishing and the token you provided can’t publish without an OTP prompt.
+
+Fix:
+- Use an **Automation token** for `NPM_TOKEN` (recommended for CI)
+- Or change NPM 2FA setting to **“authorization only”** (so CI publish doesn’t require OTP)
+
 ### Publish via GitHub Release
 
 ```bash