From fd22fca589edbe95378eb814f0a54dd061e0d3d9 Mon Sep 17 00:00:00 2001
From: mvedma04005 <mani.vedma@rokt.com>
Date: Wed, 10 Jun 2026 17:30:28 -0400
Subject: [PATCH] ci: authenticate npm publish with the org token

No trusted publisher is configured on npmjs for this package, so the OIDC-only
publish 404s. Use NPM_AUTH_TOKEN via NODE_AUTH_TOKEN (setup-node registry-url
wires .npmrc to it); provenance is still attested through the OIDC id-token.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d4a9b65..51dd999 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -81,6 +81,9 @@ jobs:
             GIT_AUTHOR_EMAIL: developers@mparticle.com
             GIT_COMMITTER_NAME: mparticle-automation
             GIT_COMMITTER_EMAIL: developers@mparticle.com
+            # npm auth: no trusted publisher is configured on npmjs for this package,
+            # so publish authenticates with the org token (provenance still attested via OIDC).
+            NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
 
         steps:
             - name: Checkout public main branch