fix: conditionally append NPM_TOKEN to .npmrc for trusted publishing … #545
Conversation
…support The .npmrc generation now intelligently handles both traditional NPM token authentication and trusted publishing scenarios: - Only appends auth token to .npmrc when NPM_TOKEN is defined (not undefined) - Uses strict comparison (!== undefined) instead of truthy checks - Provides informative logging when no NPM_TOKEN is present - Maintains full backward compatibility with existing workflows This fixes issues with trusted publishing where OIDC tokens from GitHub Actions are used instead of NPM_TOKEN, preventing 'undefined' from being written to the registry auth configuration. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
🦋 Changeset detectedLatest commit: 5525a5c The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
| await fs.appendFile( | ||
| userNpmrcPath, | ||
| `\n//registry.npmjs.org/:_authToken=${process.env.NPM_TOKEN}\n` | ||
| `\n//registry.npmjs.org/:_authToken=${npmToken}\n` |
There was a problem hiding this comment.
q: were we potentially inserting :_authToken=undefined here before?
There was a problem hiding this comment.
This was my suspiscion, and why people were using a workaround of adding NPM_TOKEN: '' to publish with provenance. If the token was never defined, then this should be undefined.
I suppose there is an undefined check on the npm side, that this workaround was working for people.
|
q: how the OIDC token can get from the GitHub Actions runner to the publish command? Do you have to pass it around manually somehow? If it's automatic - how does it work? |
You have to set the So the id token is defined on the jobs permissions block. And there is no explicit passing required after that. Just the assignment on the job in Github Actions. I have never used Gitlab, but I know provenance supports both. Someone with Gitlab knowledge can correct me if there is any difference. https://docs.npmjs.com/trusted-publishers#step-2-configure-your-cicd-workflow shows the basic setup for publishing. The missing piece for this action, in my estimation is that the dependency on a Token causes issues for user who do not define an Changesets automatically creates the If a user is not using trusted publishing setup, and doesn't define a token, they should just fail the publish because of bad authentication which is fine. This would be expected imo. |
Co-authored-by: Mateusz Burzyński <mateuszburzynski@gmail.com>
2 participants
I ran into a bit of a headache with trusted publishing with this action.
Because trusted publishing removes the need for an npm token, and is now the more preferred approach, we should have a little smarter generation of the .npmrc file.
If we don't have a .npmrc file, and we don't have an npm token, we shouldn't automatically append an npm token to the url.
If we have an npm token in the environment, we will use it, as was the default previously.
This way, if there is no npmrc file, we dont try to use an undefined token, we just assume authentication. if they don't provide an npm token, and don't have an npm token in the environment, publishing should fail on the npm side.