From 47f18fdd11a11e13388599fe7882cb6c5c71531d Mon Sep 17 00:00:00 2001
From: Jamie Holding <me@jamie.holdings>
Date: Wed, 15 Apr 2026 11:59:24 +0000
Subject: [PATCH] ci: use npm trusted publishing instead of NPM_TOKEN

npm launched GitHub Actions trusted publishing (OIDC) in mid-2025.
With a trusted publisher configured on the package, `npm publish`
authenticates via the workflow's OIDC token (which we already have
via `id-token: write`, needed for --provenance). No long-lived
NPM_TOKEN secret required.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b054170..398f7af 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,8 +22,6 @@ jobs:
       - run: npm ci
       - run: npm run lint && npm run typecheck && npm test && npm run build
       - run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       - uses: softprops/action-gh-release@v2
         with:
           generate_release_notes: true