publishing to npm fails after publishing to GPR

[getify]

I have a workflow like this that's supposed to publish to npm once I publish to GPR:

name: Publish to npm
on: registry_package
jobs:
  publish-npm:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: actions/setup-node@v1
        with:
          node-version: 12
          registry-url: https://registry.npmjs.org/
      - run: npm install && npm publish
        env:
          NODE_AUTH_TOKEN: ${{secrets.npm_token}}

I have the npm_token secret added to this repository.

When I just published to GPR, it kicked off this workflow job, but it failed at the last step of publishing to npm. The error was from npm saying:

npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"

What does this error mean, and how do I fix it? I don't see anything about setting "basic realm" in the recipes for this setup-node action.

[damccorm]

One thing I notice off the bat is that your registry url is for npm (https://registry.npmjs.org/) not GitHub (https://npm.pkg.github.com) which means your auth will be set for npm as well. Could you try changing that and see if it fixes it?

[getify]

I am trying to publish from GPR to npm, that's why the URL and token are for npm.

[nkzawa]

I also had the same issue, and fixed by creating ~/.npmrc like:

- run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_AUTH_TOKEN }}" > ~/.npmrc
- run: npm publish

[getify]

According to the examples provided for this repo for publishing to npm, presumably the with: registry_url: .. is supposed to be taking the place of a local npmrc, and I would also assume the NODE_AUTH_TOKEN environment variable is either something that this action uses or that the npm client itself uses.

The approach of echoing out an npmrc is not only hacky but also seems a bit dangerous given that we already have to have an npmrc in the repo to publish to GPR in the first place, which means effectively this echo is overwriting the file just before publish.

[damccorm]

Sorry, misunderstood - any chance you can share your package.json file? Also, are you able to publish to npm locally with that package.json file?

[getify]

Yes I have been publishing to npm directly (by just commenting out the line in my npmrc that directs the publish to GPR) each time that the github action has failed.

Here's the repo (with the package.json): https://github.com/getify/revocable-queue

[damccorm]

I think because this is a scoped package, adding the scope parameter should do the trick. So:

name: Publish to npm
on: registry_package
jobs:
  publish-npm:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: actions/setup-node@v1
        with:
          node-version: 12
          registry-url: https://registry.npmjs.org/
          scope: getify
      - run: npm install && npm publish
        env:
          NODE_AUTH_TOKEN: ${{secrets.npm_token}}

I'm not 100% sure how this will interact with a repo that has a .npmrc file already, but I think it should be fine

[getify]

I just made the change and bumped the version to 3.0.4 to retry... failed with the same error:

npm notice 4.7kB  test.js             
npm notice 853B   package.json        
npm notice 16.7kB README.md           
npm notice 109B   copyright-header.txt
npm notice 1.1kB  LICENSE.txt         
npm notice === Tarball Details === 
npm notice name:          @getify/revocable-queue                 
npm notice version:       3.0.4                                   
npm notice package size:  11.3 kB                                 
npm notice unpacked size: 33.9 kB                                 
npm notice shasum:        ea43f55fddddb1605129124fdba8b89bf4e1da15
npm notice integrity:     sha512-Jvgdlz8eA02eN[...]ThmfISW3BAXYA==
npm notice total files:   11                                      
npm notice 
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/runner/.npm/_logs/2019-09-04T19_56_58_223Z-debug.log

I don't think I have access to that npm debug log, so I can't see anything about why the authentication is failing. :/

[getify]

@damccorm ping

[mpwis]

I have the same problem trying to publish a package to private gemfury - the secrets/NODE_AUTH_TOKEN environment variable is not working correctly. I suspect its being overwritten with XXXXX-XXXXX-XXXXX-XXXXX but its hard to debug

https://github.com/actions/setup-node/blob/master/src/authutil.ts

adding these run commands to publish-npm helps a little

• run: printenv
• run: cat /home/runner/work/_temp/.npmrc

[getify]

@mpwis nice find!

BTW, specifically I think it's this line that could be the problem: https://github.com/actions/setup-node/blob/master/src/authutil.ts#L57

[getify]

This is a blocker for me to using Github Actions. I would really appreciate some more info on it.

[pqt]

Not sure that this adds much to the conversation but through the grapevine of (limit) google results and community searching, this has turned into a show-stopper for using Actions and GPR.

I'm getting the exact same errors as described above.

npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"

Repo in question is https://github.com/paquette/react-components

Using the CLI I can publish to GPR no problem, but the authentication fails with Actions -- even though the process is nearly identical and as far as I can tell it's hooked up as documentation suggests.

The failing PR (and their associated checks) can be found in this PR https://github.com/paquette/react-components/pull/7

[tjanson]

@pqt Just to be clear: You’re talking about publishing to GitHub Package Registry only (not the npmjs.org registry)? Because I’ve got that working from within GitHub Actions, with this .npmrc

registry=https://registry.npmjs.org/
@tjanson:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}

In the workflow config, I don’t use any with: arguments for the Node setup (except node-version: '10.x'), and I set a personal access token (as secret) for the NODE_AUTH_TOKEN env var (I think the GITHUB_TOKEN would also work).

Is that what you’re trying to accomplish or am I totally misunderstanding you?

PS: That .npmrc is in the repo root, not at ~/.npmrc. Simply commited that file.