The NPM_TOKEN GitHub secret (granular access token) was rotated on 2026-05-06 (replaces the one tracked in #9). Set the next renewal cadence at ~90 days from rotation = 2026-08-04.
Renewal steps
- Generate a new granular access token at https://www.npmjs.com/settings/tokens
- Permissions: read+write on
@paretools/*
- Set expiration to ≥ 90 days; record the date in this issue's title before saving
- Update the GitHub secret:
gh secret set NPM_TOKEN --repo Dave-London/Pare --body "$(pbpaste)"
- Validate by triggering the Canary Release workflow against
main — if the publish step succeeds, the token works.
- Once confirmed, revoke the previous token in the npm UI.
- Close this issue and open a new tracking issue for the next renewal cadence (90 days out).
Why 90 days
Granular tokens cap at 365 days but shorter cycles reduce blast radius if a token leaks and force a regular validation cadence. 90 days is the SOC2 / industry-standard default for service credentials.
Last renewal: 2026-05-06 (#9).
The
NPM_TOKENGitHub secret (granular access token) was rotated on 2026-05-06 (replaces the one tracked in #9). Set the next renewal cadence at ~90 days from rotation = 2026-08-04.Renewal steps
@paretools/*main— if the publish step succeeds, the token works.Why 90 days
Granular tokens cap at 365 days but shorter cycles reduce blast radius if a token leaks and force a regular validation cadence. 90 days is the SOC2 / industry-standard default for service credentials.
Last renewal: 2026-05-06 (#9).