fix: Configure npm authentication for trusted publishing with provenance

[Copilot]

Description

Semantic-release failing with 401 Unauthorized during npm authentication. Workflow had OIDC permissions and provenance config but missing NPM_TOKEN environment variable required by semantic-release/npm plugin.

Changes

Workflow Configuration (.github/workflows/release.yml)

• Removed registry-url from setup-node step (prevents .npmrc conflicts)
• Added NPM_TOKEN env var to semanticRelease step for authentication
• Updated comments clarifying npm 10.5.1+ required for provenance support

Documentation (NPM_TRUSTED_PUBLISHING_SETUP.md)

• Setup instructions for creating granular access tokens on npmjs.com
• Step-by-step guide for adding NPM_TOKEN secret to GitHub
• Clarification that npm provenance adds OIDC attestation but still requires token auth
• Troubleshooting guide for common authentication errors

Important

Repository maintainer must create a granular access token scoped to @twilio/cli-core and add it as NPM_TOKEN secret in repository settings. See NPM_TRUSTED_PUBLISHING_SETUP.md for complete instructions.

Checklist

• I acknowledge that all my contributions will be made under the project's license
• I have made a material change to the repo (functionality, testing, spelling, grammar)
• I have read the Contribution Guidelines and my PR follows them
• I have titled the PR appropriately
• I have updated my branch with the main branch
• I have added tests that prove my fix is effective or that my feature works
• I have added the necessary documentation about the functionality in the appropriate .md file
• I have added inline documentation to the code I modified

Original prompt

Create a PR to resolve the issue #300. Note: We have migrated to using trusted publisher via npm from classic tokens so the NPM_TOKEN secret is now removed. Create a PR to address the changes needed for releasing on NPM via trusted publisher (i have already created a publihser in npmjs)

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[tiwarishubham635]

@copilot is there a way to authenticate semantic-release without using NPM_TOKEN? What if I remove the setup-node and update npm step?

[Copilot]

@copilot is there a way to authenticate semantic-release without using NPM_TOKEN? What if I remove the setup-node and update npm step?

No, semantic-release/npm requires NPM_TOKEN for authentication. The plugin runs npm whoami during verification, which needs valid credentials (this is why the workflow fails with 401 Unauthorized).

About removing setup-node and npm update:

• Won't eliminate NPM_TOKEN requirement - the authentication need comes from semantic-release/npm, not these steps
• setup-node: Required for Node.js environment (semantic-release needs it)
• npm update: Ensures npm 10.5.1+ for provenance support

What provenance/OIDC actually does:

• Provenance = ATTESTATION (proves where package came from via OIDC)
• NPM_TOKEN = AUTHENTICATION (proves who can publish)
• These are separate concerns - provenance doesn't replace token authentication

npm hasn't implemented passwordless OIDC authentication like PyPI's trusted publishing. You must add NPM_TOKEN as a secret with a granular access token (see NPM_TRUSTED_PUBLISHING_SETUP.md for instructions).

The "trusted publishing" migration means: classic tokens → granular tokens + provenance, not tokens → no tokens.