security: mask npm token in logs and improve authentication setup

Author: strausr

.github/workflows/release.yml

@@ -99,34 +99,33 @@ jobs:
 
       - name: Configure npm authentication for semantic-release
         run: |
-          # actions/setup-node creates .npmrc in a temp location
+          # actions/setup-node creates .npmrc in a temp location via NPM_CONFIG_USERCONFIG
           # We need to ensure semantic-release can find it
           if [ -f "$NPM_CONFIG_USERCONFIG" ]; then
-            echo "=== Found npmrc at $NPM_CONFIG_USERCONFIG ==="
-            cat "$NPM_CONFIG_USERCONFIG"
-            # Copy to home directory for semantic-release
+            echo "Found npmrc at $NPM_CONFIG_USERCONFIG"
+            # Copy to home directory for semantic-release to read
             mkdir -p ~/.npm
             cp "$NPM_CONFIG_USERCONFIG" ~/.npmrc
             echo "Copied .npmrc to ~/.npmrc"
-          else
-            echo "Warning: NPM_CONFIG_USERCONFIG not found at $NPM_CONFIG_USERCONFIG"
-          fi
-          
-          # Extract token from .npmrc and set as NPM_TOKEN for semantic-release
-          if [ -f ~/.npmrc ]; then
-            # Extract the token from the .npmrc file
-            TOKEN=$(grep -oP '(?<=//registry\.npmjs\.org/:_authToken=).*' ~/.npmrc || echo "")
+            
+            # Also extract token for NPM_TOKEN env var (semantic-release npm plugin requires it)
+            # We mask the token value in logs for security
+            TOKEN=$(grep -oP '(?<=//registry\.npmjs\.org/:_authToken=).*' ~/.npmrc 2>/dev/null || echo "")
             if [ -n "$TOKEN" ]; then
+              echo "NPM_TOKEN=***" >> $GITHUB_ENV
+              echo "::add-mask::$TOKEN"
               echo "NPM_TOKEN=$TOKEN" >> $GITHUB_ENV
-              echo "NPM_TOKEN extracted from .npmrc and set"
+              echo "NPM_TOKEN configured (masked in logs)"
             else
               echo "Warning: Could not extract token from .npmrc"
             fi
+          else
+            echo "Warning: NPM_CONFIG_USERCONFIG not found at $NPM_CONFIG_USERCONFIG"
           fi
           
-          # Test npm auth
-          echo "=== Testing npm authentication ==="
-          npm whoami --registry=https://registry.npmjs.org || echo "npm whoami failed"
+          # Test npm auth (without exposing token)
+          echo "Testing npm authentication..."
+          npm whoami --registry=https://registry.npmjs.org >/dev/null 2>&1 && echo "✓ npm authentication successful" || echo "✗ npm authentication failed"
 
       - name: Release
         env: