Skip to content

fix(ci): resolve npm publish OIDC conflict and token fallback#297

Open
DanielMevit wants to merge 1 commit into
dcouple:mainfrom
DanielMevit:fix-npm-publish
Open

fix(ci): resolve npm publish OIDC conflict and token fallback#297
DanielMevit wants to merge 1 commit into
dcouple:mainfrom
DanielMevit:fix-npm-publish

Conversation

@DanielMevit

Copy link
Copy Markdown

Description

This PR resolves the NPM publication failure in the Build & Release workflow.

Root Cause

  1. OIDC / Trusted Publishing Conflict: The publish-npm job was configured with registry-url: 'https://registry.npmjs.org' in the actions/setup-node step. This automatically writes a global .npmrc file with a token auth placeholder (//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}).
  2. Even when running OIDC-based Trusted Publishing (i.e., when NPM_TOKEN is empty), the NPM CLI sees the _authToken configuration in .npmrc and attempts to perform token-based authentication (which fails since NODE_AUTH_TOKEN is not set) rather than using OIDC.
  3. Furthermore, if an expired or invalid NPM_TOKEN secret is stored in GitHub Secrets, the workflow attempts the token-based fallback step and fails immediately with a 404 Not Found (which NPM returns for unauthorized writes).

Solution

  1. Omit registry-url from setup-node: By removing registry-url from actions/setup-node, we prevent the generation of a global .npmrc containing the token placeholder.
  2. Local .npmrc for Token Fallback: In the token fallback step, we write the token directly to a local .npmrc file inside packages/runpane right before publishing (echo "//registry.npmjs.org/:_authToken=${{ env.NPM_TOKEN }}" > .npmrc). This isolates the token configuration to only that step.
  3. Clean Trusted Publishing: When the NPM_TOKEN secret is empty, the OIDC trusted publishing step runs cleanly without any .npmrc token configuration, allowing NPM to correctly authenticate via OIDC.
  4. Added Provenance: Added the --provenance flag to both publication steps, which is highly recommended for security and compliance (especially when using OIDC).

@parsakhaz

Copy link
Copy Markdown
Member

Thanks for digging into this. I double-checked against current main and the latest release run.

The immediate publish path does look unblocked now: v2.4.5 published successfully to npm, but that run used the token fallback path. The workflow on main still has the setup-node registry-url config and still passes NODE_AUTH_TOKEN directly in the npm fallback step, so the specific trusted-publishing cleanup in this PR has not actually landed yet.

So I think this PR is still useful as a hardening/follow-up fix: it should let trusted publishing run cleanly when NPM_TOKEN is absent, while keeping token auth isolated to the fallback case. We may refresh/rebase it against current main before merging, but I’d like to keep this PR as the vehicle for that cleanup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants