Add NPM_TOKEN to semantic-release step

[Copilot]

User description

The semantic-release publish step fails with 401 Unauthorized because @semantic-release/npm requires npm authentication even when provenance is enabled.

Changes

• Added NPM_TOKEN environment variable to the release step in .github/workflows/main.yml

- name: release
  run: npx semantic-release
  env:
    GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
    NPM_TOKEN: ${{secrets.NPM_TOKEN}}  # Added

Note

Requires NPM_TOKEN secret to be configured in repository settings with a valid npm access token having publish permissions.

Original prompt

Problem

The CI release workflow in .github/workflows/main.yml is failing with a 401 Unauthorized error during the semantic-release npm publish step:

npm ERR! 401 Unauthorized - GET https://registry.npmjs.org/-/whoami
SemanticReleaseError: Invalid npm token.

Root Cause

The release job has the correct permissions (id-token: write for OIDC/provenance), but the NPM_TOKEN environment variable is missing from the release step. The @semantic-release/npm plugin is configured with "provenance": true in package.json, but authentication still requires the NPM_TOKEN to be passed.

Solution

Update .github/workflows/main.yml to include the NPM_TOKEN environment variable in the release step:

      - name: release
        run: npx semantic-release
        env:
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
          NPM_TOKEN: ${{secrets.NPM_TOKEN}}

Current Code (lines 58-61 in .github/workflows/main.yml)

      - name: release
        run: npx semantic-release
        env:
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

Expected Code

      - name: release
        run: npx semantic-release
        env:
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
          NPM_TOKEN: ${{secrets.NPM_TOKEN}}

Notes

• The repository owner will need to ensure they have an NPM_TOKEN secret configured in the repository settings (Settings → Secrets and variables → Actions) with a valid npm access token that has publish permissions.
• The provenance: true setting in package.json adds attestation to published packages but does not replace the need for npm authentication.

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

---

PR Type

Bug fix

---

Description

• Add NPM_TOKEN environment variable to semantic-release step

• Fixes 401 Unauthorized error during npm publish workflow

• Enables proper authentication for @semantic-release/npm plugin

---

Diagram Walkthrough

flowchart LR
  A["CI Release Workflow"] -->|Missing NPM_TOKEN| B["401 Unauthorized Error"]
  A -->|Add NPM_TOKEN Secret| C["Successful npm Authentication"]
  C --> D["Package Published"]

Loading

File Walkthrough

	Relevant files
Bug fix	main.yml Add NPM_TOKEN to release step environment                                .github/workflows/main.yml Added NPM_TOKEN environment variable to the release step Passes npm authentication token from repository secrets Resolves authentication failure in semantic-release npm plugin +1/-0

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Secret exfiltration risk Description: NPM_TOKEN is injected into the environment of npx semantic-release, so any executed code in that step (including transitive dependencies fetched at runtime) could potentially read and exfiltrate the token if a dependency or the workflow context is compromised. main.yml [58-62] Referred Code - name: release run: npx semantic-release env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} NPM_TOKEN: ${{secrets.NPM_TOKEN}}
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Add npm authentication configuration Before running semantic-release, add a step to write the NPM_TOKEN to the ~/.npmrc file to ensure npm authentication. .github/workflows/main.yml [59-62] -run: npx semantic-release +run: | + echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" >> ~/.npmrc + npx semantic-release env: - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - NPM_TOKEN: ${{secrets.NPM_TOKEN}} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} Apply / Chat Suggestion importance[1-10]: 2 __ Why: The suggestion is technically correct but likely unnecessary, as the @semantic-release/npm plugin is designed to automatically use the NPM_TOKEN environment variable for authentication, making the manual creation of .npmrc redundant.	Low
More

[github-actions]

🎉 This PR is included in version 2.9.3 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀