fix(ci): check-dependecies gh action now uses npm token to access private packages

[j-luong]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages
  are release-note ready, emphasizing
  what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

What does this PR do?

Fixes the GitHub Action workflow check-dependencies.yml and danger-zone.yml so that it can access private packages.

Where should the reviewer start?

How should this be manually tested?

What's the product update that needs to be communicated to CLI users?

None - internal fix

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[robertolopezlopez]

LGTM

[github-actions]

	Warnings
⚠️	"fix(ci): check-dependecies gh action now uses npm token to access private packages" is too long. Keep the first line of your commit message under 72 characters.

Generated by 🚫 dangerJS against 3511a3d

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Workflow Scope Error (2 occurrences) 🟠 [major] .github/workflows/check-dependencies.yml The NODE_AUTH_TOKEN environment variable is only provided to the npm ci step. However, the addition of registry-url to setup-node configures the runner's .npmrc to use ${NODE_AUTH_TOKEN} for all subsequent commands. The next step, npx ts-node ./scripts/check-dependencies.ts, will likely fail when npm (invoked by npx) attempts to parse the global .npmrc and finds the environment variable missing or empty. This variable should be defined at the job level or repeated for the script step. .github/workflows/danger-zone.yml Similar to the check-dependencies workflow, the Danger JS job now configures a registry that requires NODE_AUTH_TOKEN interpolation. The npx danger ci step lacks this environment variable in its scope. If the Danger script or npx itself triggers any registry lookups (e.g., to verify package versions), it will fail due to the unresolvable token in the .npmrc configuration.

📚 Repository Context Analyzed This review considered 2 relevant code sections from 2 files (average relevance: 0.72) CONTRIBUTING.md (lines 218-387) package-lock.json (lines 6-275)