Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

publishing to npm fails #52

Open
getify opened this issue Sep 3, 2019 · 17 comments

Comments

@getify
Copy link

commented Sep 3, 2019

I have a workflow like this that's supposed to publish to npm once I publish to GPR:

name: Publish to npm
on: registry_package
jobs:
  publish-npm:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: actions/setup-node@v1
        with:
          node-version: 12
          registry-url: https://registry.npmjs.org/
      - run: npm install && npm publish
        env:
          NODE_AUTH_TOKEN: ${{secrets.npm_token}}

I have the npm_token secret added to this repository.

When I just published to GPR, it kicked off this workflow job, but it failed at the last step of publishing to npm. The error was from npm saying:

npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"

What does this error mean, and how do I fix it? I don't see anything about setting "basic realm" in the recipes for this setup-node action.

@damccorm

This comment has been minimized.

Copy link
Collaborator

commented Sep 3, 2019

One thing I notice off the bat is that your registry url is for npm (https://registry.npmjs.org/) not GitHub (https://npm.pkg.github.com) which means your auth will be set for npm as well. Could you try changing that and see if it fixes it?

@getify

This comment has been minimized.

Copy link
Author

commented Sep 3, 2019

I am trying to publish from GPR to npm, that's why the URL and token are for npm.

@nkzawa

This comment has been minimized.

Copy link

commented Sep 4, 2019

I also had the same issue, and fixed by creating ~/.npmrc like:

- run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_AUTH_TOKEN }}" > ~/.npmrc
- run: npm publish
@getify

This comment has been minimized.

Copy link
Author

commented Sep 4, 2019

According to the examples provided for this repo for publishing to npm, presumably the with: registry_url: .. is supposed to be taking the place of a local npmrc, and I would also assume the NODE_AUTH_TOKEN environment variable is either something that this action uses or that the npm client itself uses.

The approach of echoing out an npmrc is not only hacky but also seems a bit dangerous given that we already have to have an npmrc in the repo to publish to GPR in the first place, which means effectively this echo is overwriting the file just before publish.

@damccorm

This comment has been minimized.

Copy link
Collaborator

commented Sep 4, 2019

Sorry, misunderstood - any chance you can share your package.json file? Also, are you able to publish to npm locally with that package.json file?

@getify

This comment has been minimized.

Copy link
Author

commented Sep 4, 2019

Yes I have been publishing to npm directly (by just commenting out the line in my npmrc that directs the publish to GPR) each time that the github action has failed.

Here's the repo (with the package.json): https://github.com/getify/revocable-queue

@damccorm

This comment has been minimized.

Copy link
Collaborator

commented Sep 4, 2019

I think because this is a scoped package, adding the scope parameter should do the trick. So:

name: Publish to npm
on: registry_package
jobs:
  publish-npm:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: actions/setup-node@v1
        with:
          node-version: 12
          registry-url: https://registry.npmjs.org/
          scope: getify
      - run: npm install && npm publish
        env:
          NODE_AUTH_TOKEN: ${{secrets.npm_token}}

I'm not 100% sure how this will interact with a repo that has a .npmrc file already, but I think it should be fine

@getify

This comment has been minimized.

Copy link
Author

commented Sep 4, 2019

I just made the change and bumped the version to 3.0.4 to retry... failed with the same error:

npm notice 4.7kB  test.js             
npm notice 853B   package.json        
npm notice 16.7kB README.md           
npm notice 109B   copyright-header.txt
npm notice 1.1kB  LICENSE.txt         
npm notice === Tarball Details === 
npm notice name:          @getify/revocable-queue                 
npm notice version:       3.0.4                                   
npm notice package size:  11.3 kB                                 
npm notice unpacked size: 33.9 kB                                 
npm notice shasum:        ea43f55fddddb1605129124fdba8b89bf4e1da15
npm notice integrity:     sha512-Jvgdlz8eA02eN[...]ThmfISW3BAXYA==
npm notice total files:   11                                      
npm notice 
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/runner/.npm/_logs/2019-09-04T19_56_58_223Z-debug.log

I don't think I have access to that npm debug log, so I can't see anything about why the authentication is failing. :/

@getify

This comment has been minimized.

Copy link
Author

commented Sep 10, 2019

@damccorm ping

@mpwis

This comment has been minimized.

Copy link

commented Sep 11, 2019

I have the same problem trying to publish a package to private gemfury - the secrets/NODE_AUTH_TOKEN environment variable is not working correctly. I suspect its being overwritten with XXXXX-XXXXX-XXXXX-XXXXX but its hard to debug

https://github.com/actions/setup-node/blob/master/src/authutil.ts

adding these run commands to publish-npm helps a little

  • run: printenv
  • run: cat /home/runner/work/_temp/.npmrc
@getify

This comment has been minimized.

Copy link
Author

commented Sep 11, 2019

@mpwis nice find!

BTW, specifically I think it's this line that could be the problem: https://github.com/actions/setup-node/blob/master/src/authutil.ts#L57

TuckerWhitehouse added a commit to Workgrid/workgrid-javascript that referenced this issue Sep 12, 2019
Add authToken to npmrc
Setting the `NODE_AUTH_TOKEN` environment variable doesn't seem to work, trying an npmrc file instead.

https://github.community/t5/GitHub-Actions/Installing-npm-packages-from-the-GitHub-package-registry/td-p/30559

actions/setup-node#52
@getify

This comment has been minimized.

Copy link
Author

commented Sep 16, 2019

This is a blocker for me to using Github Actions. I would really appreciate some more info on it.

@pqt

This comment has been minimized.

Copy link

commented Sep 16, 2019

Not sure that this adds much to the conversation but through the grapevine of (limit) google results and community searching, this has turned into a show-stopper for using Actions and GPR.

I'm getting the exact same errors as described above.

npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"

Repo in question is https://github.com/paquette/react-components

Using the CLI I can publish to GPR no problem, but the authentication fails with Actions -- even though the process is nearly identical and as far as I can tell it's hooked up as documentation suggests.

The failing PR (and their associated checks) can be found in this PR paquette/react-components#7

@tjanson

This comment has been minimized.

Copy link

commented Sep 16, 2019

@pqt Just to be clear: You’re talking about publishing to GitHub Package Registry only (not the npmjs.org registry)? Because I’ve got that working from within GitHub Actions, with this .npmrc

registry=https://registry.npmjs.org/
@tjanson:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}

In the workflow config, I don’t use any with: arguments for the Node setup (except node-version: '10.x'), and I set a personal access token (as secret) for the NODE_AUTH_TOKEN env var (I think the GITHUB_TOKEN would also work).

Is that what you’re trying to accomplish or am I totally misunderstanding you?

PS: That .npmrc is in the repo root, not at ~/.npmrc. Simply commited that file.

@pqt

This comment has been minimized.

Copy link

commented Sep 16, 2019

Nope you've got it correct @tjanson, the GITHUB_TOKEN doesn't seem to work, so I've cleared all reference to GPR publishing, and now going to be taking another stab at it with an NPM PAT.

Going to test what you've got though because it's already considerably more elegant than my 3 different locations of configurations.

Gotta sweet case of the GIT mondays going on. (Note the check failure 😂)

pqt added a commit to paquette/react-components that referenced this issue Sep 16, 2019
@getify

This comment has been minimized.

Copy link
Author

commented Sep 16, 2019

Publishing to GPR from Actions (what @pqt seems to be doing) and publishing to NPM from Actions (which, in my case, is triggered after first publishing to GPR) are separate topics.

However, they both seem to have the same symptom, which is that the Action doesn't seem to apply the correct credentials for the publishing (from npm secrets), and/or Actions is not properly using the "registry" setting from the Action. In some cases you can "hack" around this problem by just forcing your own .npmrc, but that's both a hack and runs contrary to the published documentation for this Action, so it shouldn't be "the solution".

In my case, since my project already has a npmrc in it, to redirect the initial publish to GPR in the first place, I do not think it's a suitable solution to somehow hack or override that npmrc during the Action to then redirect to npm.

@pqt

This comment has been minimized.

Copy link

commented Sep 16, 2019

Yeah, I see the difference now that you mention that @getify.

To clarify, my current situation is just trying to publish to GPR at all, which has proven to be unsuccessful out of the gates. I'll stay subscribed to the thread but our approaches seem to be different enough that it might warrant a separate issue entirely.

pqt added a commit to paquette/react-components that referenced this issue Sep 16, 2019
remove registry argument (#7)
* remove registry argument

* v0.0.2

* specify the github registry in .npmrc

* add NPM_REGISTRY_URL variable to action

* re-trigger gh registry publish

* add registry to publish config

* 0.0.3

* 0.0.4

* manually set content in .npmrc while publish

* try different .npmrc format

* fix gh action command typo

* stop prepublish script from moving source files

* add scope and registry data to node-setup in main github action

* getting desperate now

* remove all references to GPR

* simplified configuration, test publish to GPR with GITHUB_TOKEN set as NODE_AUTH_TOKEN (See actions/setup-node#52 (comment))

* remove all GPR references again

* one more try at NPM and GPR publishing

* fix wrong env var passed through

* remove GPR publishing for now

* fix formatting error
@pqt pqt referenced this issue Sep 16, 2019
pqt added a commit to paquette/react-components that referenced this issue Sep 16, 2019
Patch Release v0.0.4 (#8)
* remove registry argument

* v0.0.2

* specify the github registry in .npmrc

* add NPM_REGISTRY_URL variable to action

* re-trigger gh registry publish

* add registry to publish config

* 0.0.3

* 0.0.4

* manually set content in .npmrc while publish

* try different .npmrc format

* fix gh action command typo

* stop prepublish script from moving source files

* add scope and registry data to node-setup in main github action

* getting desperate now

* remove all references to GPR

* simplified configuration, test publish to GPR with GITHUB_TOKEN set as NODE_AUTH_TOKEN (See actions/setup-node#52 (comment))

* remove all GPR references again

* one more try at NPM and GPR publishing

* fix wrong env var passed through

* remove GPR publishing for now

* fix formatting error
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
6 participants
You can’t perform that action at this time.