diff --git a/.github/workflows/release-package.yml b/.github/workflows/release-package.yml
index 9c1f4a45e60d..bb9440794794 100644
--- a/.github/workflows/release-package.yml
+++ b/.github/workflows/release-package.yml
@@ -34,4 +34,3 @@ jobs:
       run: node tools/release-package.js ${{ github.event.pull_request.number }}
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/tools/release-package.js b/tools/release-package.js
index 3ddb32823e31..4f1cc4fe5856 100644
--- a/tools/release-package.js
+++ b/tools/release-package.js
@@ -88,11 +88,14 @@ async function releasePackage(prNumber) {
 
     console.log(`- Publish packages/${type} folder to npm`);
     const packageFolder = path.join(installFolder, "packages", type, "package.json");
-    const pubResult = await npmPublish({
-      package: packageFolder,
-      token: NPM_TOKEN
+    const pubOptions = {
+      package: packageFolder
       //, debug: console.debug
-    });
+    };
+    if (NPM_TOKEN) {
+      pubOptions.token = NPM_TOKEN;
+    }
+    const pubResult = await npmPublish(pubOptions);
     console.log(`- Published version was ${pubResult.oldVersion}`);
     console.log(`- Version bump: ${pubResult.type}`);
     console.log(`- Published version is ${pubResult.version}`);
@@ -154,11 +157,12 @@ if (!GH_TOKEN) {
   process.exit(1);
 }
 
+// An NPM token is needed to run the script from a local machine.
+// Authentication from a GitHub workflow rather relies on OpenID Connect
+// and the release workflow must be added as a trusted publisher for each
+// npm package that can be released, see:
+// https://docs.npmjs.com/trusted-publishers
 const NPM_TOKEN = config?.NPM_TOKEN ?? process.env.NPM_TOKEN;
-if (!NPM_TOKEN) {
-  console.error("NPM_TOKEN must be set to an npm token as an env variable or in a config.json file");
-  process.exit(1);
-}
 
 // Note: npm-publish has a bug and needs an "INPUT_TOKEN" env variable:
 // https://github.com/JS-DevTools/npm-publish/issues/15