Skip to content

[BUG] Package visibility fails on GH packages with provenance #6436

New issue
New issue
Closed
#6437
Closed
[BUG] Package visibility fails on GH packages with provenance#6436
#6437
Labels
Bugthing that needs fixingPriority 2secondary priority issueRelease 9.xwork is associated with a specific npm 9 release
@feelepxyz

Description

@feelepxyz
feelepxyz
opened on May 9, 2023

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

When publishing with --provenance to Github Package registry, and the package does not already exist (ie first version being published), the publish call will fail with the following error:

npm notice Publishing to https://npm.pkg.github.com/ with tag latest and default access
npm ERR! code E404
npm ERR! 404 Not Found - GET https://npm.pkg.github.com/-/package/@feelepxyz/test-dependabot/visibility
npm ERR! 404 
npm ERR! 404  '@feelepxyz/test-dependabot@1.0.0' is not in this registry.

Expected Behavior

Publish should work and --provenance ignored as it is on the subsequent publish when the version already exists.

Its failing at this line: https://github.com/npm/cli/blob/bdab631b9847013dc4e8d4083669acf6c7bfb457/workspaces/libnpmpublish/lib/publish.js#LL181C86-L181C86

Presumably we just need to catch 404s and ignore them?

Steps To Reproduce

Publish to GH packages with provenance

name: Publish Package to npmjs
on: workflow_dispatch
jobs:
 build:
   runs-on: ubuntu-latest
   permissions:
     contents: read
     id-token: write
   steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-node@v3
       with:
         node-version: '18.x'
         registry-url: 'https://npm.pkg.github.com'
         scope: '@feelepxyz'
     - run: npm install -g npm
     - run: npm ci
     - run: cat .npmrc
     - run: npm publish --provenance --access public
       env:
         NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

Environment

  • npm: 9.6.6
  • Node.js: 18.x
  • OS Name: Ubuntu
  • System Model Name: GitHub Actions hosted runner
  • npm config:
; "user" config from /home/runner/work/_temp/.npmrc

@feelepxyz:registry = "https://npm.pkg.github.com/" 
; //npm.pkg.github.com/:_authToken = (protected) ; overridden by project
always-auth = false 

; "project" config from /home/runner/work/test-dependabot/test-dependabot/.npmrc

//npm.pkg.github.com/:_authToken = (protected) 

; "env" config from environment

userconfig = "/home/runner/work/_temp/.npmrc" 

; node bin location = /opt/hostedtoolcache/node/18.[16](https://github.com/feelepxyz/test-dependabot/actions/runs/4925568179/jobs/8799950109#step:6:17).0/x64/bin/node
; node version = v[18](https://github.com/feelepxyz/test-dependabot/actions/runs/4925568179/jobs/8799950109#step:6:19).16.0
; npm local prefix = /home/runner/work/test-dependabot/test-dependabot
; npm version = 9.6.6
; cwd = /home/runner/work/test-dependabot/test-dependabot
; HOME = /home/runner
; Run `npm config ls -l` to show all defaults.

; "publishConfig" from /home/runner/work/test-dependabot/test-dependabot/package.json
; This set of config values will be used at publish-time.

provenance = true
registry = "https://npm.pkg.github.com/"

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingPriority 2secondary priority issueRelease 9.xwork is associated with a specific npm 9 release

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions