fix: use MINISIGN_PASS environment variable for password

.github/workflows/publish.yml

@@ -85,9 +85,8 @@ jobs:
       - name: Sign package with minisign
         run: |
           if [ ! -f minisign.key.skip ]; then
-            # Use MINISIGN_PASSPHRASE environment variable for the password
-            export MINISIGN_ASK_PASS=0
-            echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$PACKAGE_FILE" -s minisign.key -t "create-claude npm package v$VERSION - $(date -u +%Y-%m-%d)"
+            # Use -W flag to read password from stdin
+            echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$PACKAGE_FILE" -s minisign.key -W -t "create-claude npm package v$VERSION - $(date -u +%Y-%m-%d)"
             echo "✓ Successfully signed package with minisign"
           else
             echo "::warning::Skipping minisign signature generation"
@@ -137,15 +136,15 @@ jobs:
             if [ -f "$sbom" ]; then
               echo "Signing $sbom"
               if [ ! -f minisign.key.skip ]; then
-                echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$sbom" -s minisign.key -t "SBOM for create-claude v$VERSION"
+                echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$sbom" -s minisign.key -W -t "SBOM for create-claude v$VERSION"
               fi
               gpg --armor --detach-sign --output "$sbom.asc" "$sbom"
             fi
           done
 
           # Find and sign any GitHub attestation files
           if [ ! -f minisign.key.skip ]; then
-            find . -name "*.intoto.jsonl" -exec sh -c 'echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$1" -s minisign.key -t "SLSA Attestation for create-claude v$VERSION"' _ {} \;
+            find . -name "*.intoto.jsonl" -exec sh -c 'echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$1" -s minisign.key -W -t "SLSA Attestation for create-claude v$VERSION"' _ {} \;
           fi
           find . -name "*.intoto.jsonl" -exec gpg --armor --detach-sign --output {}.asc {} \;