ci: strip _authToken from .npmrc instead of clearing env vars

seanphan · seanphan · commit 917e90a6eb6e · 2026-02-24T07:02:03.000-08:00
Keep setup-node's registry-url config (npm needs to know the registry)
but remove the _authToken and always-auth entries from .npmrc so npm
falls through to OIDC trusted publishing.
diff --git a/.github/workflows/release-node.yaml b/.github/workflows/release-node.yaml
@@ -55,11 +55,16 @@ jobs:
 
       - name: Publish to npm (trusted publishing)
         working-directory: packages/cli
-        env:
-          NODE_AUTH_TOKEN: ""
-          NPM_CONFIG_USERCONFIG: ""
         run: |
           echo "Node: $(node --version) / npm: $(npm --version)"
+          # Strip token auth from .npmrc so npm uses OIDC instead
+          NPMRC="${NPM_CONFIG_USERCONFIG:-$HOME/.npmrc}"
+          if [ -f "$NPMRC" ]; then
+            sed -i '/_authToken/d' "$NPMRC"
+            sed -i '/always-auth/d' "$NPMRC"
+            echo "Cleaned .npmrc:"
+            cat "$NPMRC"
+          fi
           npm publish --access public --provenance
 
       - name: Create GitHub Release
@@ -123,11 +128,15 @@ jobs:
 
       - name: Publish to npm (trusted publishing)
         working-directory: packages/sdk
-        env:
-          NODE_AUTH_TOKEN: ""
-          NPM_CONFIG_USERCONFIG: ""
         run: |
           echo "Node: $(node --version) / npm: $(npm --version)"
+          NPMRC="${NPM_CONFIG_USERCONFIG:-$HOME/.npmrc}"
+          if [ -f "$NPMRC" ]; then
+            sed -i '/_authToken/d' "$NPMRC"
+            sed -i '/always-auth/d' "$NPMRC"
+            echo "Cleaned .npmrc:"
+            cat "$NPMRC"
+          fi
           npm publish --access public --provenance
 
       - name: Create GitHub Release
