From e3ac40e6156aab3c97791cfd3aa66aa3989a3ea5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?coffee=20=E2=98=95=EF=B8=8F?= <coffee@cubelabs.xyz>
Date: Sat, 18 Apr 2026 22:51:00 -0400
Subject: [PATCH] Use OIDC for npm publishing

- Remove `NODE_AUTH_TOKEN` and npm registry config from the publish workflow
- Rely on GitHub OIDC provenance for `changeset:publish`
---
 .github/workflows/publish.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 16e5bb1..5fa47d9 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -22,7 +22,6 @@ jobs:
       id-token: write
     env:
       NPM_CONFIG_PROVENANCE: "true"
-      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
       TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
     steps:
@@ -39,7 +38,6 @@ jobs:
         with:
           node-version: 24
           cache: pnpm
-          registry-url: https://registry.npmjs.org
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -53,5 +51,4 @@ jobs:
           publish: pnpm changeset:publish
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           NPM_CONFIG_PROVENANCE: "true"