From 8a88ffe0820c4f9fbcb3e9fc1f0f9b8eb8323f93 Mon Sep 17 00:00:00 2001
From: Daniel Clayton <dan@Daniels-Mac-mini.local>
Date: Mon, 2 Mar 2026 12:36:24 -0700
Subject: [PATCH] fix: enforce tokenless npm trusted publishing in release
 workflow

---
 .github/workflows/release.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0b859e1..3048fc5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -30,7 +30,6 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: '20'
-          registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
         run: bun install --frozen-lockfile
@@ -58,7 +57,10 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_CONFIG_PROVENANCE: true
-        run: bun run changeset:publish
+          NODE_AUTH_TOKEN: ''
+        run: |
+          rm -f ~/.npmrc
+          bun run changeset:publish
 
       - name: Commit version updates to main
         if: steps.changesets.outputs.count != '0'