ci(release): use npm trusted publishing

[AmanVarshney01]

Summary

• Remove token-based npm whoami from the release workflow.
• Publish release packages without NODE_AUTH_TOKEN so npm can use GitHub Actions OIDC trusted publishing.
• Drop explicit --provenance flags because npm trusted publishing generates provenance automatically.

Notes

• npm trusted publishers must be configured on npmjs.com for each released package with owner AmanVarshney01, repo create-better-t-stack, workflow filename release.yaml, and allowed action npm publish.
• pr-preview.yaml is intentionally unchanged because npm currently allows one trusted publisher per package; preview publishing still needs token-based auth unless that flow is redesigned.

Verification

• bun run check

Summary by CodeRabbit

• Chores
  • Updated CI/CD release workflow configuration, removing NPM authentication verification and adjusting package publishing process across multiple packages.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
create-better-t-stack-web	Ready	Preview, Comment	May 24, 2026 8:54pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9eae9a6f-f144-4162-85b7-36205ae1b0a3

📥 Commits

Reviewing files that changed from the base of the PR and between e1c6379 and ecc0c44.

📒 Files selected for processing (1)

• .github/workflows/release.yaml

---

Walkthrough

The release workflow is updated to remove NPM authentication verification and modify the publish process by dropping the --provenance flag from all npm publish commands and removing the NODE_AUTH_TOKEN environment variable from publish steps while preserving telemetry configuration.

Changes

Release Workflow NPM Configuration

Layer / File(s)	Summary
Remove NPM auth verification and update publish commands .github/workflows/release.yaml	The NPM authentication verification step (npm whoami) is removed from the workflow. All npm publish commands for @better-t-stack/types, @better-t-stack/template-generator, @better-t-stack/cli, and create-bts are modified to remove the --provenance flag, and NODE_AUTH_TOKEN is dropped from the environment variables in publish steps.

Possibly related PRs

• AmanVarshney01/create-better-t-stack#959: Directly overlaps with this PR's edits to .github/workflows/release.yaml regarding removal of the "Verify NPM auth" step and changes to npm publish flags (--provenance) and environment variables (NODE_AUTH_TOKEN).

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci(release): use npm trusted publishing' directly and clearly describes the main change—switching from token-based authentication to npm's trusted publishing mechanism in the release workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}