fix: use OIDC trusted publisher for npm publish

yhk1038 · yhk1038 · commit b402d7c4b9d8 · 2026-01-22T05:31:52.000+09:00
Remove NPM_TOKEN and debug step, rely on OIDC trusted publisher
with --provenance flag for secure npm publishing.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -74,20 +74,8 @@ jobs:
       - name: Update version
         run: npm version ${{ steps.version.outputs.version }} --no-git-tag-version --allow-same-version
 
-      - name: Debug - Check token
-        run: |
-          if [ -z "${{ secrets.NPM_TOKEN }}" ]; then
-            echo "NPM_TOKEN is empty!"
-          else
-            echo "NPM_TOKEN is set (length: ${#NPM_TOKEN})"
-          fi
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
       - name: Publish to npm
         run: npm publish --access public --provenance
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Create Release
         uses: softprops/action-gh-release@v2
