GitHub Action failing to find NPM_TOKEN

I’m trying to switch from publishing directly to npm (which worked fine) to using GitHub Packages with an organisation scoped package name.

I’ve changed my package name in package.json, added the necessary publishConfig e.g.

"publishConfig": {
    "registry": "https://npm.pkg.github.com"
  },

And changed my Action steps to use NODE_AUTH_TOKEN instead of NPM_TOKEN as per the docs, but when I merge a branch and trigger the action I get the following warning and the package is never published (though version tags and changelog are updated, so annoyingly it doesn’t flag as a failed run):

 ✔  success   Wrote authentication token string to /home/runner/.npmrc
⚠  warning   Error: Failed to replace env in config: ${NPM_TOKEN}

NPM_TOKEN is set in my repository Secrets on GitHub.

Here’s the Action setup:

name: Publish

on:
  push:
    branches: [main]

jobs:
  release:
    runs-on: ubuntu-latest

    # this check needs to be in place to prevent a publish loop with auto and github actions
    if: "!contains(github.event.head_commit.message, 'ci skip') && !contains(github.event.head_commit.message, 'skip ci')"

    steps:
      - uses: actions/checkout@v2
        with:
          # Needed for branch protection override
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Prepare repository
        run: git fetch --unshallow --tags

      - name: Use Node.js 12.x
        uses: actions/setup-node@v1
        with:
          node-version: 12.x

      - name: Cache node modules
        uses: actions/cache@v2
        with:
          path: node_modules
          key: node-modules-${{ hashFiles('package-lock.json') }}
          restore-keys: |
            node-modules-${{ hashFiles('package-lock.json') }}

      - name: Create release
        env
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: |
          npm ci
          npm run build
          npm run release