From 02f3da9717875111ae9fb575e529b81bb471855b Mon Sep 17 00:00:00 2001
From: garthdb <garthdb@gmail.com>
Date: Thu, 22 Jan 2026 16:06:05 -0700
Subject: [PATCH] fix(ci): remove auth token from npmrc to enable OIDC

The _authToken line with ${NPM_TOKEN} was blocking npm's OIDC
auto-detection. npm was trying to use the token (which doesn't exist)
instead of falling back to OIDC.

Evidence from logs:
- WARN: Failed to replace env in config: ${NPM_TOKEN}
- npm notice: Access token expired or revoked
- BUT: Provenance signing worked (proves OIDC is available)

Solution: Remove the _authToken line entirely. npm CLI will now
auto-detect OIDC via the id-token: write permission and use
trusted publishers for authentication.

Also removed invalid skipNpmAuth parameter.
---
 .github/workflows/release.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cee6d82a..e064ef4a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,13 +22,12 @@ jobs:
       - uses: moonrepo/setup-toolchain@v0
         with:
           auto-install: true
-      - name: Setup npm for OIDC authentication
+      - name: Setup npm registry (OIDC will auto-authenticate)
         run: |
-          # Create .npmrc for registry without auth token
-          # npm CLI (11.5.1+) will auto-detect OIDC and handle authentication
+          # Create minimal .npmrc without auth token
+          # npm CLI (11.5.1+) will auto-detect OIDC via id-token permission
           cat > ~/.npmrc << 'EOF'
           registry=https://registry.npmjs.org/
-          //registry.npmjs.org/:_authToken=${NPM_TOKEN}
           EOF
       - run: moon setup
       - run: moon run :build --query "projectSource~packages/*"