New attempt at fixing NPM publishing with trusted publisher #3810
Conversation
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| set -euo pipefail | ||
|
|
||
| echo "Node auth token: ${NODE_AUTH_TOKEN}" | ||
| echo "NPM config userconfig: ${NPM_CONFIG_USERCONFIG}" | ||
|
|
There was a problem hiding this comment.
The script now logs NODE_AUTH_TOKEN and NPM_CONFIG_USERCONFIG under set -u, but the workflow no longer exports these variables in the “Publish to NPM” step. In GitHub Actions they will be undefined, so referencing them on lines 11‑12 causes bash to exit with “unbound variable” before npm publish runs. As a result the publish job will always fail and packages will never be released. Either provide default values (${VAR:-}) or reintroduce the env wiring from the workflow.
Useful? React with 👍 / 👎.
| echo "Node auth token: ${NODE_AUTH_TOKEN}" | ||
| echo "NPM config userconfig: ${NPM_CONFIG_USERCONFIG}" |
There was a problem hiding this comment.
Lines 11‑12 emit the contents of NODE_AUTH_TOKEN and the npm config path every time a package is published. The token is the credential that authorizes publishing to npm and is not automatically masked when it’s minted via Trusted Publisher, so this leaks a live credential into the Actions logs. Consider removing the logging or masking the values before printing.
Useful? React with 👍 / 👎.
|
The latest updates on your projects. Learn more about Argos notifications ↗︎
|
No description provided.