fix: restore NPM_TOKEN auth and add --access public for scoped package publish#7475
fix: restore NPM_TOKEN auth and add --access public for scoped package publish#7475DennisOSRM merged 2 commits intomasterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the monthly release workflow around npm publishing, ostensibly to fix issues blocking publication of @project-osrm/osrm.
Changes:
- Switch dependency installation from
npm installtonpm ci --ignore-scripts(skipping lifecycle scripts). - Leaves the
npm publishinvocation unchanged.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Install dependencies (skip native build scripts) | ||
| run: npm ci --ignore-scripts | ||
|
|
||
| - name: Publish to npm |
There was a problem hiding this comment.
The publish step doesn't provide NODE_AUTH_TOKEN, so actions/setup-node won't be able to authenticate to npm (it writes an .npmrc that expects this env var). Add env: { NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} } (or equivalent) to the publish step (or job) so npm publish has a token at runtime.
| - name: Publish to npm | |
| - name: Publish to npm | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
| - name: Publish to npm | ||
| run: npm publish |
There was a problem hiding this comment.
PR title/description says --access public is required for publishing the scoped package, but the workflow still runs plain npm publish. Either add --access public here, or (if publishConfig.access in package.json is intended to cover this) update the PR description/title to match what the change actually does.
GITHUB_TOKEN pushes do not trigger new workflow runs (GitHub prevents recursive loop triggers). This means the tag push from the release workflow never triggered osrm-backend.yml, so no binaries were built or uploaded to the release assets. Changes: - Add workflow_dispatch trigger to osrm-backend.yml - Add 'actions: write' permission to release workflow - After pushing the tag, explicitly dispatch osrm-backend.yml on the tag ref; CI runs with GITHUB_REF=refs/tags/v* so PUBLISH=On and prebuilt binaries are built and uploaded - Restore NODE_AUTH_TOKEN and add --access public for scoped npm package Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
569369c to
7fcbf54
Compare
publishConfig.access=public is already set in package.json, so --access public is redundant. OIDC via setup-node handles authentication when id-token: write is set. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Fixes two issues blocking npm publish of
@project-osrm/osrm:Auth failure (404):
setup-nodeconfigures.npmrcto useNODE_AUTH_TOKEN, but that env var was never set at publish time. npm OIDC Trusted Publishers requires explicit configuration on the npm package settings page — without it the auth token is empty and npm returns 404. RestoresNODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}.Scoped package access: Scoped packages (
@project-osrm/osrm) default to private on npm.--access publicis required for public publishing.