Don't default NPM_AUTH_TOKEN to support NPM OIDC

[mannycarrera4]

Description:
A lot of packages are switching to OIDC to validate packages when publishing. It took a lot of debugging, but we had to reset the auth token to empty string intentionally in our CI, but it wasn't clear what was setting it.

Any chance we can the default setting to support NPM OIDC?

[Vexcited]

As a workaround, we can do this for now...

- uses: actions/setup-node@v5
  with:
    node-version: 24
    registry-url: "https://registry.npmjs.org"

- run: |
    NODE_AUTH_TOKEN="" npm publish

Overwriting the NODE_AUTH_TOKEN env when running the command works like a charm.

[frankpengau]

FYI for those following along, specifically this part of the code:

setup-node/src/authutil.ts

Lines 54 to 58 in 633bb92

	// Export empty node_auth_token if didn't exist so npm doesn't complain about not being able to find it
	core.exportVariable(
	'NODE_AUTH_TOKEN',
	process.env.NODE_AUTH_TOKEN || 'XXXXX-XXXXX-XXXXX-XXXXX'
	);

^ Although do note, that there is a comment about it prior to the line around issues of the variable not being set. Maybe worth evaulating whether if that is still indeed the case?

[gowridurgad]

Hello @mannycarrera4,
Thank you for this feature request. We will investigate it and get back to you as soon as we have some feedback.