Observation
.github/workflows/release.yml Build-and-Release / Build-admin-UI step fails on npm ci against the private GitHub Packages npm registry. Captured on the v1.0.1 release run (post-cloud-SDK pin sweep — see https://github.com/GoCodeAlone/workflow/blob/main/docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep.md):
Build and Release / Build admin UI:
Cloning into '/tmp/workflow-ui-build'... ok
npm error code E401
npm error 401 Unauthorized - GET https://npm.pkg.github.com/download/@gocodealone/workflow-ui/0.2.0/...
— authentication token not provided
cp: cannot stat '/tmp/workflow-ui-build/ui/dist': No such file or directory
##[error]Process completed with exit code 1.
.npmrc or NODE_AUTH_TOKEN env wiring is missing for the Release workflow's UI build step. The Test workflow may not exercise this path so the gap survived earlier merges.
Impact
- v1.0.1 tag pushed on origin (
9080b40); module-consumer path (go get github.com/GoCodeAlone/workflow-plugin-admin@v1.0.1) resolves via Go proxy reading the git tag directly.
- GitHub release / operator-facing
wfctl plugin install resolves nothing — no release exists past v1.0.0.
- Operator-facing gap only — explicitly designated as advisory (NOT a CI gate) in the sweep design.
Remediation options
-
Add NODE_AUTH_TOKEN env wiring to the Build-admin-UI step:
- name: Build admin UI
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" > /tmp/workflow-ui-build/ui/.npmrc
cd /tmp/workflow-ui-build/ui && npm ci && npx vite build
...(GITHUB_TOKEN typically has packages:read for npm.pkg.github.com.)
-
Switch @gocodealone/workflow-ui to public-npm visibility if it doesn't need to stay private.
-
Vendor the workflow-ui dist into this repo so the Release step has no external npm fetch.
Followup release
After the fix, cut v1.0.2 to re-trigger GoReleaser against the merged main HEAD (the pin-bump commit). The bump itself ships in v1.0.1's tag; v1.0.2 would be a chore release that only republishes assets.
References
Observation
.github/workflows/release.ymlBuild-and-Release / Build-admin-UI step fails onnpm ciagainst the private GitHub Packages npm registry. Captured on the v1.0.1 release run (post-cloud-SDK pin sweep — see https://github.com/GoCodeAlone/workflow/blob/main/docs/plans/2026-05-16-post-cloud-sdk-plugin-sweep.md):.npmrcorNODE_AUTH_TOKENenv wiring is missing for the Release workflow's UI build step. TheTestworkflow may not exercise this path so the gap survived earlier merges.Impact
9080b40); module-consumer path (go get github.com/GoCodeAlone/workflow-plugin-admin@v1.0.1) resolves via Go proxy reading the git tag directly.wfctl plugin installresolves nothing — no release exists past v1.0.0.Remediation options
Add
NODE_AUTH_TOKENenv wiring to the Build-admin-UI step:(
GITHUB_TOKENtypically haspackages:readfor npm.pkg.github.com.)Switch
@gocodealone/workflow-uito public-npm visibility if it doesn't need to stay private.Vendor the workflow-ui dist into this repo so the Release step has no external npm fetch.
Followup release
After the fix, cut v1.0.2 to re-trigger GoReleaser against the merged main HEAD (the pin-bump commit). The bump itself ships in v1.0.1's tag; v1.0.2 would be a chore release that only republishes assets.
References
gh run list --repo GoCodeAlone/workflow-plugin-admin --workflow Releasefirst entry tagged v1.0.1