fix(ci): resolve npm publish OIDC conflict and token fallback#297
fix(ci): resolve npm publish OIDC conflict and token fallback#297DanielMevit wants to merge 1 commit into
Conversation
|
Thanks for digging into this. I double-checked against current main and the latest release run. The immediate publish path does look unblocked now: v2.4.5 published successfully to npm, but that run used the token fallback path. The workflow on main still has the setup-node So I think this PR is still useful as a hardening/follow-up fix: it should let trusted publishing run cleanly when |
Description
This PR resolves the NPM publication failure in the
Build & Releaseworkflow.Root Cause
publish-npmjob was configured withregistry-url: 'https://registry.npmjs.org'in theactions/setup-nodestep. This automatically writes a global.npmrcfile with a token auth placeholder (//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}).NPM_TOKENis empty), the NPM CLI sees the_authTokenconfiguration in.npmrcand attempts to perform token-based authentication (which fails sinceNODE_AUTH_TOKENis not set) rather than using OIDC.NPM_TOKENsecret is stored in GitHub Secrets, the workflow attempts the token-based fallback step and fails immediately with a404 Not Found(which NPM returns for unauthorized writes).Solution
registry-urlfromsetup-node: By removingregistry-urlfromactions/setup-node, we prevent the generation of a global.npmrccontaining the token placeholder..npmrcfor Token Fallback: In the token fallback step, we write the token directly to a local.npmrcfile insidepackages/runpaneright before publishing (echo "//registry.npmjs.org/:_authToken=${{ env.NPM_TOKEN }}" > .npmrc). This isolates the token configuration to only that step.NPM_TOKENsecret is empty, the OIDC trusted publishing step runs cleanly without any.npmrctoken configuration, allowing NPM to correctly authenticate via OIDC.--provenanceflag to both publication steps, which is highly recommended for security and compliance (especially when using OIDC).