ci(release): pass npm token to publish step

Author: iexitdev

.github/workflows/publish.yml

@@ -150,6 +150,7 @@ jobs:
           done
         env:
           NPM_TAG: ${{ steps.package.outputs.npm_tag }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Verify npm registry publish state
         run: npm run release:publish:status -- --strict

scripts/check-release-gates.mjs

@@ -21,6 +21,7 @@ const requiredFiles = [
   "docs/release/h5-owner-decision-memo.md",
   "docs/release/h6-owner-decision-memo.md",
   "docs/release/known-issues.md",
+  "docs/release/native-workflow-runbook.md",
   "docs/release/native-qa-checklists.md",
   "docs/release/native-performance-benchmark.md",
   "docs/release/native-release-checks.md",
@@ -586,6 +587,11 @@ addCheck({
 });
 
 const publishWorkflowSource = await readRepoFile(".github/workflows/publish.yml");
+const publishAuthEnvCount = (
+  publishWorkflowSource.match(
+    /NODE_AUTH_TOKEN:\s*\$\{\{\s*secrets\.NPM_TOKEN\s*\}\}/g
+  ) ?? []
+).length;
 const publishWorkflowSafetyChecks = [
   "secrets.NPM_TOKEN",
   "NODE_AUTH_TOKEN",
@@ -597,6 +603,12 @@ const publishWorkflowSafetyChecks = [
   "npm publish \"${PUBLISH_TARGET}\" --ignore-scripts --access public --provenance --tag"
 ].filter((needle) => !publishWorkflowSource.includes(needle));
 
+if (publishAuthEnvCount < 2) {
+  publishWorkflowSafetyChecks.push(
+    "NODE_AUTH_TOKEN must be set for npm auth preflight and npm publish"
+  );
+}
+
 addCheck({
   detail:
     publishWorkflowSafetyChecks.length > 0