chore: Delete .github/workflows/fix-latest.yml

[gjtorikian]

During a routine security review today, I discovered that we have an NPM_TOKEN stored in this repo. I didn't think we used these as we had moved on to OIDC trusted publishing.

Turns out, there's this old workflow from #1002 which makes use of it. I don't really feel comfortable having tokens we're not using, used in actions we're not using, so by the power vested in me, I'm going to delete this action, merge the PR, and remove the GitHub secret.

cc @marji-workos

[greptile-apps]

Greptile Summary

This PR removes .github/workflows/fix-latest.yml, a manually-triggered workflow that used a stored NPM_TOKEN secret to reassign the @latest dist-tag on npm. The deletion is motivated by a security review finding an unused token — the project has since moved to OIDC trusted publishing, making this workflow and its associated secret unnecessary.

Confidence Score: 5/5

Safe to merge — this is a pure deletion of an unused, manually-triggered workflow with no functional impact on the codebase.

The change deletes a single workflow file that was only ever triggered manually. No production code, tests, or automated pipelines are affected. The motivation (removing an unused long-lived secret) is sound security hygiene.

No files require special attention.

Vulnerabilities

This PR improves the security posture of the repository by removing a dormant workflow that held a long-lived NPM_TOKEN secret. Retaining unused secrets in a repository increases blast radius if the repo is compromised. No new security issues are introduced.

Important Files Changed

Filename	Overview
.github/workflows/fix-latest.yml	Deleted an unused manually-triggered workflow that relied on a stored NPM_TOKEN secret; removal reduces secret exposure surface and aligns with the project's OIDC publishing approach.

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant GHA as GitHub Actions
    participant NPM as npm Registry

    Note over Dev,NPM: BEFORE (deleted workflow)
    Dev->>GHA: workflow_dispatch (latest-version input)
    GHA->>NPM: npm dist-tag add @workos-inc/node@X latest
    Note right of GHA: Authenticated via NPM_TOKEN secret

    Note over Dev,NPM: AFTER (this PR)
    Note over GHA: fix-latest.yml removed
    Note over NPM: NPM_TOKEN secret can be revoked

Loading

_{Reviews (1): Last reviewed commit: "Delete .github/workflows/fix-latest.yml" | Re-trigger Greptile}