From 015677a0f287af47caf53669f5368e219b34a0a5 Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Tue, 2 Jun 2026 16:52:37 +0100
Subject: [PATCH] ci: remove redundant npmpublish.yml (semantic-release is the
 publish path)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

npmpublish.yml published to npm on `release: created` using the now-dead
NPM_TOKEN. It is redundant: the semantic-release job in test-and-release.yml
already publishes to npm (via OIDC, with provenance) AND creates the GitHub
Release. semantic-release makes that release with GITHUB_TOKEN, which by
design does not trigger other workflows, so npmpublish.yml never fires in
the automated flow — and on a *manual* release it would double-publish or
fail on the expired token. Delete it so semantic-release is the single,
OIDC-authenticated publish path.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/npmpublish.yml | 18 ------------------
 1 file changed, 18 deletions(-)
 delete mode 100644 .github/workflows/npmpublish.yml

diff --git a/.github/workflows/npmpublish.yml b/.github/workflows/npmpublish.yml
deleted file mode 100644
index d838871..0000000
--- a/.github/workflows/npmpublish.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-name: Node.js Package
-
-on:
-  release:
-    types: [created]
-
-jobs:
-  publish-npm:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
-        with:
-          node-version: 25
-          registry-url: https://registry.npmjs.org/
-      - run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}