From 04d5d102e593617052cfe42e352b2c0cdf6a3dd4 Mon Sep 17 00:00:00 2001
From: 0xshippor <14165372+0xshippor@users.noreply.github.com>
Date: Wed, 8 Apr 2026 12:28:38 +0000
Subject: [PATCH] fix: npm token secrets

---
 .github/workflows/release.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f976c6c..732696b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,6 +13,8 @@ jobs:
   release:
     if: ${{ !contains(github.event.head_commit.message, '[skip release]') }}
     runs-on: ubuntu-latest
+    env:
+      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
     steps:
       - name: Checkout repository
@@ -83,16 +85,16 @@ jobs:
           git push
 
       - name: Configure npm token fallback
-        if: steps.changesets.outputs.has_changesets == 'true' && secrets.NPM_TOKEN != ''
+        if: steps.changesets.outputs.has_changesets == 'true' && env.NPM_TOKEN != ''
         shell: bash
         run: |
           printf "//registry.npmjs.org/:_authToken=%s\n" "$NODE_AUTH_TOKEN" > ~/.npmrc
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ env.NPM_TOKEN }}
 
       - name: Publish changed packages
         if: steps.changesets.outputs.has_changesets == 'true'
         run: bun run release
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ env.NPM_TOKEN }}
           NPM_CONFIG_PROVENANCE: true