fix(release): remove any npm tokens

thatkookooguy · thatkookooguy · commit b8bb85318359 · 2025-12-21T00:47:31.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -30,6 +30,21 @@ jobs:
           node-version: 'lts/*'
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Ensure OIDC-only npm auth (no tokens)
+        run: |
+          # Remove any committed or inherited npm token configuration
+          rm -f .npmrc ~/.npmrc
+          npm config delete //registry.npmjs.org/:_authToken || true
+          npm config delete _authToken || true
+          npm config delete token || true
+
+          # Defensive: if your repo/org still has these secrets, make sure they are not used
+          echo "NPM_TOKEN is: ${NPM_TOKEN:+set}" || true
+          echo "NODE_AUTH_TOKEN is: ${NODE_AUTH_TOKEN:+set}" || true
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
+
       - name: Install dependencies
         run: npm ci
 
