From 3c8103b9c3e313d923345d10dcac4e78ae96d41d Mon Sep 17 00:00:00 2001
From: Louis Varin <louisvarin@bitgo.com>
Date: Tue, 3 Mar 2026 17:08:47 -0500
Subject: [PATCH] feat: migrate stable releases to trusted publishing

TICKET: VL-4559
---
 .github/workflows/npmjs-release.yml | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/npmjs-release.yml b/.github/workflows/npmjs-release.yml
index b3e915ea8c..578c78c7a6 100644
--- a/.github/workflows/npmjs-release.yml
+++ b/.github/workflows/npmjs-release.yml
@@ -133,23 +133,14 @@ jobs:
           git config --global user.name "bitgobot"
 
       - name: Configure npmrc
-        if: inputs.dry-run == false
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           echo "engine-strict=true" > ~/.npmrc
-          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> ~/.npmrc
 
       - name: Setup Node.js with nvm
         uses: actions/setup-node@v6
         with:
           node-version-file: ".nvmrc"
 
-      - name: Test NPM authentication
-        if: inputs.dry-run == false
-        run: |
-          npm whoami --registry https://registry.npmjs.org/
-
       - name: Switch to rel/latest branch
         run: |
           git checkout rel/latest
@@ -175,7 +166,9 @@ jobs:
       - name: Publish new version
         if: inputs.dry-run == false
         run: |
-          yarn lerna publish --sign-git-tag --sign-git-commit --include-merged-tags --conventional-commits --conventional-graduate --verify-access --yes
+          yarn lerna publish --sign-git-tag --sign-git-commit --include-merged-tags --conventional-commits --conventional-graduate --yes
+        env:
+          NPM_CONFIG_PROVENANCE: true
 
       - name: Extract published version
         if: inputs.dry-run == false