From 8f72fb43f09b179a47c16f743847c74e3584f0db Mon Sep 17 00:00:00 2001
From: ilan ponimansky <ilan@phantom.app>
Date: Fri, 23 Jan 2026 10:08:30 -0500
Subject: [PATCH 1/2] fix: token for publishing

---
 .github/workflows/release.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 06cda485c..c3c3b1fc3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -33,6 +33,7 @@ jobs:
         with:
           node-version: 20.x
           registry-url: "https://registry.npmjs.org"
+          token: ""
 
       - name: Ensure npm 11.5.1+ for trusted publishing
         run: npm install -g npm@^11.5.1
@@ -47,4 +48,7 @@ jobs:
           # This expects you to have a script called release which does a build for your packages and calls changeset publish
           publish: yarn release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # we use trusted publishing and setup-node will set these incorrectly. Unset if we ever use RO_TOKEN
+          NODE_AUTH_TOKEN: ""
+          NPM_TOKEN: ""

From 5dbca1df82db81bf8c4b3452ac5ef0a4aa42afca Mon Sep 17 00:00:00 2001
From: ilan ponimansky <ilan@phantom.app>
Date: Fri, 23 Jan 2026 11:34:30 -0500
Subject: [PATCH 2/2] fix: dont check co

---
 security.yaml | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 security.yaml

diff --git a/security.yaml b/security.yaml
new file mode 100644
index 000000000..3f6e3ef1b
--- /dev/null
+++ b/security.yaml
@@ -0,0 +1 @@
+codeowner_approvals: false