Skip to content

Use npm token for releases#335

Merged
0xroylee merged 3 commits into
mainfrom
getsuperpower
Jul 2, 2026
Merged

Use npm token for releases#335
0xroylee merged 3 commits into
mainfrom
getsuperpower

Conversation

@0xroylee

@0xroylee 0xroylee commented Jul 1, 2026

Copy link
Copy Markdown
Owner

What Changed

  • Updated the tag-triggered release workflow to publish with secrets.NPM_TOKEN through NODE_AUTH_TOKEN.
  • Added an explicit missing-token guard and npm whoami before npm publish.
  • Kept provenance, public access, dist-tag selection, and already-published version skipping.

Why

  • The tokenless/trusted-publishing attempt reached npm but failed authorization for the unscoped getsuperpower package.
  • The release should use an npm token stored as the NPM_TOKEN GitHub secret.

How to Test

  • rtk bun run check
  • rtk ruby -e "require 'yaml'; YAML.load_file('.github/workflows/release.yml'); puts 'release workflow yaml ok'"

Additional Notes

  • The NPM_TOKEN secret must be a token with publish permission for getsuperpower.
  • Because this package/account has 2FA involved, the token must be an npm token configured to bypass 2FA for write/publish actions, otherwise the workflow will fail with EOTP again.

@0xroylee 0xroylee changed the title Use trusted publishing for npm releases Use npm token for releases Jul 2, 2026
@0xroylee 0xroylee merged commit 450ae99 into main Jul 2, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant