From 70bd82984f99a30ff5dc7ec3440ec880a7c3f495 Mon Sep 17 00:00:00 2001
From: Alex Verkhovsky <alexey.verkhovsky@gmail.com>
Date: Tue, 10 Mar 2026 02:53:32 -0600
Subject: [PATCH] fix: isolate npm publish from injected auth config

---
 .github/workflows/publish.yaml | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 03f972823..8737304df 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -51,7 +51,21 @@ jobs:
         with:
           node-version-file: ".nvmrc"
           cache: "npm"
-          registry-url: "https://registry.npmjs.org"
+
+      - name: Debug npm auth config surface
+        run: |
+          USERCONFIG=$(npm config get userconfig)
+          echo "npm userconfig: $USERCONFIG"
+          if [ -f "$USERCONFIG" ]; then
+            if rg -n "_authToken|always-auth|registry.npmjs.org" "$USERCONFIG" >/dev/null 2>&1; then
+              echo "npm userconfig contains registry auth-related entries"
+              rg -n "_authToken|always-auth|registry.npmjs.org" "$USERCONFIG" | sed -E 's/(_authToken=).*/\1***MASKED***/'
+            else
+              echo "npm userconfig has no registry auth-related entries"
+            fi
+          else
+            echo "npm userconfig file not found"
+          fi
 
       - name: Debug trusted publishing identity
         run: |
@@ -161,12 +175,14 @@ jobs:
         if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.channel == 'next')
         run: npm publish --tag next --provenance
         env:
+          NPM_CONFIG_USERCONFIG: /dev/null
           NODE_AUTH_TOKEN: ""
 
       - name: Publish stable release to npm
         if: github.event_name == 'workflow_dispatch' && inputs.channel == 'latest'
         run: npm publish --tag latest --provenance
         env:
+          NPM_CONFIG_USERCONFIG: /dev/null
           NODE_AUTH_TOKEN: ""
 
       - name: Print npm debug logs