chore: remove NPM_TOKEN from release workflow by jkebinger · Pull Request #33 · ReforgeHQ/sdk-node

jkebinger · 2025-11-14T20:25:21Z

Summary

Removes the NPM_AUTH_TOKEN environment variable from the release workflow
Workflow now uses npm trusted publishing (OIDC) authentication exclusively

Context

We've switched to npm's trusted publisher feature, which uses GitHub's OIDC authentication instead of long-lived tokens. The workflow already has the required configuration:

id-token: write permission
--provenance flag on publish commands

The NPM_TOKEN secret is no longer needed and should be removed from GitHub secrets after this PR is merged.

Benefits

Eliminates long-lived token management
Reduces risk of token leakage
Aligns with npm's 2025 security improvements

🤖 Generated with Claude Code

Switch to npm trusted publishing (OIDC) authentication only. The workflow already has the required permissions (id-token: write) and uses --provenance flag, so the NPM_TOKEN secret is no longer needed. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

jdwyah

thanks!

jdwyah approved these changes Nov 20, 2025

View reviewed changes

jkebinger merged commit 938e3e8 into main Nov 20, 2025
2 checks passed

jkebinger deleted the remove-npm-token branch November 20, 2025 22:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: remove NPM_TOKEN from release workflow#33

chore: remove NPM_TOKEN from release workflow#33
jkebinger merged 1 commit intomainfrom
remove-npm-token

jkebinger commented Nov 14, 2025

Uh oh!

jdwyah left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants

Conversation

jkebinger commented Nov 14, 2025

Summary

Context

Benefits

Uh oh!

jdwyah left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants