From f525f4783ed714bb2eddd1d3ca7e188b5f5601f4 Mon Sep 17 00:00:00 2001
From: Tom Jenkinson <tjenkinson@users.noreply.github.com>
Date: Thu, 18 Sep 2025 17:58:10 +0100
Subject: [PATCH] Use GitHub `release` env for npm publish (#7544)

* Use GitHub `release` env for npm publish

As this is used for npm OIDC. Also stops passing the token given OIDC doesn't need it

* Do not write token to config
---
 .github/workflows/build.yml | 4 +++-
 scripts/publish-npm.sh      | 3 ---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index fba3c5ce9..ba5fa5561 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -279,6 +279,9 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   release_npm:
+    # npm oidc is configured for this environment
+    # https://docs.npmjs.com/trusted-publishers#for-github-actions
+    environment: release
     needs: [config, test_unit]
     if: needs.config.outputs.tag || needs.config.outputs.isMainBranch == 'true'
     runs-on: ubuntu-latest
@@ -323,7 +326,6 @@ jobs:
           ./scripts/publish-npm.sh
         env:
           CI: true
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           TAG: ${{ needs.config.outputs.tag }}
 
   test_functional_required:
diff --git a/scripts/publish-npm.sh b/scripts/publish-npm.sh
index fd95fb16c..6f1e3cb06 100755
--- a/scripts/publish-npm.sh
+++ b/scripts/publish-npm.sh
@@ -2,9 +2,6 @@
 set -e
 
 if [[ $(node ./scripts/check-already-published.js) = "not published" ]]; then
-  # write the token to config
-  # see https://docs.npmjs.com/private-modules/ci-server-config
-  echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
   if [[  -z "$TAG" ]]; then
     npm publish --provenance --tag canary
     echo "Published canary."