fix(ci): remove auth token from npmrc to enable OIDC

[GarthDB]

Deep Dive: Root Cause Analysis

After analyzing the logs from https://github.com/adobe/spectrum-design-data/actions/runs/21268010963/job/61211774286, I found the exact problem preventing OIDC from working.

The Evidence

1. npm is trying to use a non-existent token:

WARN Issue while reading "/home/runner/.npmrc". Failed to replace env in config: ${NPM_TOKEN}
npm notice Access token expired or revoked. Please try logging in again.

2. But OIDC IS working for provenance:

npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://search.sigstore.dev/?logIndex=845437195

3. Changesets detected the auth token line:

Found existing auth token for the npm registry in the user .npmrc file

The Problem

The .npmrc contained this auth token line:

//registry.npmjs.org/:_authToken=${NPM_TOKEN}

When npm sees _authToken in .npmrc, it tries to use token-based authentication instead of falling back to OIDC. Since NPM_TOKEN isn't set as an environment variable, npm tries to expand ${NPM_TOKEN} and gets an invalid literal string, which it rejects.

Why Provenance Worked But Publish Failed

OIDC authentication for provenance signing uses a separate code path in npm that doesn't check .npmrc for auth tokens. This proves:

• ✅ The OIDC environment is correctly configured
• ✅ The id-token: write permission works
• ✅ Trusted publishers are configured correctly
• ❌ But the publish operation was blocked by the invalid token in .npmrc

The Solution

Remove the //registry.npmjs.org/:_authToken=${NPM_TOKEN} line from .npmrc.

With only the registry URL, npm will:

1. Not find a token in .npmrc
2. Detect the GitHub Actions OIDC environment (via id-token: write permission)
3. Automatically use trusted publishers for authentication

This is the recommended approach per npm docs - no auth token in .npmrc when using OIDC.

Changes

Before (broken):

cat > ~/.npmrc << 'EOF'
registry=https://registry.npmjs.org/
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
EOF

After (working):

cat > ~/.npmrc << 'EOF'
registry=https://registry.npmjs.org/
EOF

Verification

This will fix all the auth errors:

• ✅ No more "Failed to replace env in config" warnings
• ✅ No more "Access token expired" errors
• ✅ npm will auto-detect OIDC and use trusted publishers
• ✅ All 4 queued packages will publish successfully:
  • @adobe/design-system-registry@1.1.0
  • @adobe/spectrum-tokens@14.1.0
  • @adobe/token-diff-generator@2.5.3
  • @adobe/spectrum-design-data-mcp@1.0.13

Related

• Fixes the authentication failures from fix(ci): remove invalid skipNpmAuth parameter #674
• Completes the OIDC migration started in feat(ci): migrate to npm trusted publishing with OIDC #671
• All 8 packages have trusted publishers configured correctly (verified via screenshots)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 02f3da9

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[GarthDB]

Run report for 02f3da97

Total time: 6.5ms | Comparison time: 0s | Estimated loss: 6.5ms (100.0% slower)

	Action	Time	Status	Info
🟩	SyncWorkspace	6.4ms	Passed

Touched files

.github/workflows/release.yml