Update RELEASING.md on how to rotate npm tokens (#1330)

Author: chenxzhang

RELEASING.md

@@ -80,3 +80,42 @@ yarn release
 Feature branches are automatically released under:
 
 - `http://cdn.segment.com/analytics-next/br/<branch>/<latest|sha>/standalone.js.gz`
+
+## NPM Token Management
+
+### How to Rotate/Update NPM Tokens
+
+The repository uses an NPM token stored in GitHub Actions secrets (`NPM_TOKEN`) to publish packages automatically. Due to npm's security updates, tokens now have a maximum 90-day lifetime and classic tokens will be revoked. You should use **Granular Access Tokens** for better security.
+
+#### Creating a New NPM Token
+
+1. **Generate a new token at npm**:
+   - Go to https://www.npmjs.com/settings/YOUR_USERNAME/tokens
+   - Click "Generate New Token" → "Granular Access Token"
+   - Configure the token:
+     - **Token Name**: Something descriptive like "analytics-next-ci"
+     - **Expiration**: 90 days (maximum)
+     - **Permissions**: Select "Read and write"
+     - **Packages and scopes**: Select packages in `@segment` organization
+   - Copy the token (starts with `npm_`)
+
+2. **Test the token locally**:
+   ```bash
+   # Add token to your ~/.npmrc
+   echo "//registry.npmjs.org/:_authToken=YOUR_NEW_TOKEN" > ~/.npmrc
+
+   # Verify authentication
+   npm whoami
+
+   # Build packages
+   yarn build
+
+   # Test dry-run publish (doesn't actually publish)
+   cd packages/core && npm publish --dry-run
+   cd ../browser && npm publish --dry-run
+   cd ../node && npm publish --dry-run
+   ```
+
+3. **Update GitHub Actions Secret**:
+   - Go to: https://github.com/segmentio/analytics-next/settings/secrets/actions
+   - Update secret for `NPM_TOKEN`