diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 777fb6e..850b1cd 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -28,16 +28,14 @@ jobs:
           registry-url: "https://registry.npmjs.org"
       - run: npm ci
       - run: npm run build
-      # Bootstrap publish auth: NODE_AUTH_TOKEN (Classic Automation token).
-      # @salishforge/memforge does not exist on npm yet, so Trusted Publishing
-      # cannot be configured for it — trusted publishers are attached to an
-      # existing package on npmjs.com. After the first publish succeeds, swap
-      # this step to OIDC by removing NODE_AUTH_TOKEN (id-token: write is
-      # already granted for provenance attestations).
+      # Auth via npm Trusted Publishing (OIDC). The package exists on npm
+      # as of v3.0.0-beta.3, so a trusted publisher can be configured for
+      # it on npmjs.com (Packages → @salishforge/memforge → Settings →
+      # Trusted publishing). Once configured, no NODE_AUTH_TOKEN is needed:
+      # npm CLI uses the GitHub Actions OIDC token (id-token: write, above)
+      # to authenticate directly.
       - name: Publish package
         run: npm publish --access public --provenance
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
   github-release:
     name: Create GitHub Release