ci: point npm publish at AGENT_CHORUS_CI secret

cote-star · claude · cote-star · commit 4951d66aed82 · 2026-04-24T10:50:47.000+02:00
The historical NPM_TOKEN secret returned E404 on v0.12.2's publish
attempt (see run 24665699276 `package-node` job log) because its
npm-side scope did not cover the agent-chorus package. A fresh
"Automation" token with 2FA bypass was provisioned and stored as
AGENT_CHORUS_CI; switching the env binding over so the next release
hits a credential that can actually PUT to registry.npmjs.org for
this package.

No other changes. NPM_TOKEN can be deleted from the repo secrets
page as a follow-up once v0.13.0 verifies publish end-to-end.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -79,7 +79,11 @@ jobs:
         if: ${{ github.event_name == 'push' && github.ref_type == 'tag' && steps.npm_package_check.outputs.exists != 'true' }}
         continue-on-error: true
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          # Uses AGENT_CHORUS_CI (npm "Automation" token, 2FA-bypassed,
+          # scoped to the agent-chorus package). Historical NPM_TOKEN
+          # secret returned 404 on publish because its scope did not
+          # cover this package on the owning npm account.
+          NODE_AUTH_TOKEN: ${{ secrets.AGENT_CHORUS_CI }}
         run: npm publish --access public
 
   publish-github-package:
