Merge pull request #21 from phantom/kuba/fix-publishing

jkadamczyk · web-flow · commit 5991c1237125 · 2026-01-26T10:16:38.000+01:00
fix: publishing with trusted publishing
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,6 +20,7 @@ jobs:
     env:
       # Force npm to emit provenance (SLSA) when publishing via OIDC.
       NPM_CONFIG_PROVENANCE: true
+      NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN_PHANTOM_SECURITY_BOT }}
 
     steps:
       - name: Checkout Repo
@@ -33,7 +34,7 @@ jobs:
         with:
           node-version: 20.x
           registry-url: "https://registry.npmjs.org"
-          token: ""
+          token: ${{ secrets.NPM_PUBLISH_TOKEN_PHANTOM_SECURITY_BOT }}
 
       - name: Ensure npm 11.5.1+ for trusted publishing
         run: npm install -g npm@^11.5.1
@@ -48,7 +49,4 @@ jobs:
           # This expects you to have a script called release which does a build for your packages and calls changeset publish
           publish: yarn release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # we use trusted publishing and setup-node will set these incorrectly. Unset if we ever use RO_TOKEN
-          NODE_AUTH_TOKEN: ""
-          NPM_TOKEN: ""
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
