ci: Remove npm token in favor of trusted publishing

juliaschiller150 · juliaschiller150 · commit c9a06fe0a51c · 2025-11-04T19:53:56.000-06:00
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -4,6 +4,10 @@ on:
   push:
     branches:
       - "main"
+      
+permissions:
+  id-token: write  # Required for OIDC / NPM Trusted Publishing (https://repos.openssf.org/trusted-publishers-for-all-package-repositories)
+  contents: read
 
 jobs:
   quality-bump-and-publish:
@@ -37,5 +41,3 @@ jobs:
         run: npm run package
       - name: Publish to npm
         run: npm publish
-        env:
-          NPM_TOKEN: ${{secrets.NPM_TOKEN}}
diff --git a/.npmrc b/.npmrc
@@ -1 +1 @@
-//registry.npmjs.org/:_authToken=${NPM_TOKEN}
+//registry.npmjs.org/

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-//registry.npmjs.org/:_authToken=${NPM_TOKEN}`
	`1`	`+//registry.npmjs.org/`