From e4a9753f7280383f43f7e52c3d1dafad6fe3a1d3 Mon Sep 17 00:00:00 2001
From: tom-ridsdale <thomas.ridsdale@typeform.com>
Date: Thu, 11 Dec 2025 13:55:16 +0000
Subject: [PATCH] feat(TU-33149): Attempting to avoid polluting global .npmrc

---
 .github/workflows/release.yml | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1fe89af7..973ed913 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -43,15 +43,24 @@ jobs:
       - run: yarn build
         env:
           NODE_ENV: 'production'
-      # Configure registry for GitHub Packages
+      # Configure registry for GitHub Packages using local .npmrc to avoid npm global config corruption
       - run: rm ./.npmrc
-      - run: npm config set '//npm.pkg.github.com/:_authToken' $GH_TOKEN
+      - run: |
+          cat > .npmrc << 'EOF'
+          //npm.pkg.github.com/:_authToken=${GH_TOKEN}
+          @typeform:registry=https://npm.pkg.github.com/
+          EOF
         env:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
-      - run: npm config set @typeform:registry https://npm.pkg.github.com/
       - run: yarn add -W @typeform/jarvis
       - run: git checkout HEAD -- package.json # do not save jarvis dependency to package.json because it is private (the file is committed by semantic-release to bump version)
-      - run: npm config delete @typeform:registry
+      # Create clean .npmrc with just auth token
+      - run: |
+          cat > .npmrc << 'EOF'
+          //npm.pkg.github.com/:_authToken=${GH_TOKEN}
+          EOF
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
 
       # authenticate to AWS
       - uses: aws-actions/configure-aws-credentials@v4