[hn_throwaway_99]

This is exactly why GitHub support OpenID Connect, https://docs.github.com/en/actions/deployment/security-harde..., so that long-lived secrets don't need to be present as part of the build.

I'm not sure if NPM supports OIDC, which would be ironic given that both GitHub and NPM are owned by Microsoft.

[fkyoureadthedoc]

Why would that be ironic?

[hn_throwaway_99]

Sorry, my sentence was poorly written, I meant it would be ironic if NPM didn't support OIDC.