From 32eb0103473b20a928b9ba63095d66c256d87e7e Mon Sep 17 00:00:00 2001
From: unknown <that-github-user@github.com>
Date: Sun, 29 Mar 2026 12:32:40 -0700
Subject: [PATCH] =?UTF-8?q?Restore=20NPM=5FTOKEN=20in=20release=20workflow?=
 =?UTF-8?q?=20=E2=80=94=20npm=20OIDC=20is=20not=20tokenless?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

npm trusted publishing uses OIDC for provenance signing only, not for
authentication. Registry auth still requires NODE_AUTH_TOKEN. The
"trusted publisher" config on npm verifies provenance attestations,
not publish permissions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 89c5473..b89dac9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -36,8 +36,10 @@ jobs:
       - name: Test
         run: npm test
 
-      - name: Publish to npm
+      - name: Publish to npm (trusted publishing via OIDC)
         run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2