ci: add npm-token-health workflow#17
Merged
Merged
Conversation
Daily npm whoami check against the configured registry; opens (and de-dupes via marker comment) a GitHub issue if NPM_TOKEN no longer authenticates, and auto-closes that issue on the first passing run after rotation. Motivated by today's discovery that NPM_TOKEN had been rotated 7 weeks ago (2026-04-01 → present) without updating this repo's secret, which silently stranded v3.1.6 / v3.2.0 / v3.2.1 from reaching npm. Anyone running 'npm i -g @askalf/agent' got the stale v3.1.5 — including the WS-subprotocol crash fix the v3.2.1 release was specifically shipping. Pattern mirrors the existing @askalf/dario npm-token-health.yml; issue body includes the gh-secret-set + gh-run-rerun recipe so the recovery is self-documenting for any future incident.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Daily
npm whoamicheck that catches NPM_TOKEN rot before the next release silently fails to publish.Motivating incident (today, 2026-05-22)
This repo's NPM_TOKEN was dated 2026-04-01. The
@askalf/dariotoken was rotated 2026-05-20 but the rotation wasn't propagated here. The 2026-05-12 release of v3.2.1 (containing the WS-subprotocol crash fix) failed silently atnpm publishwith HTTP 404 fromPUT /@askalf%2Fagent. Anyone runningnpm i -g @askalf/agentfor the next 10 days got stale v3.1.5 — still affected by the very crash this release was fixing — and there was no signal until a manual fleet audit caught it.What the workflow does
npm whoami --registry=https://registry.npmjs.orgagainst the token insecrets.NPM_TOKEN.<!-- agent-npm-token-rot -->marker comment so a stale token doesn't open a fresh issue every day). Issue body has the full rotate-and-rerun recipe.workflow_dispatchfor manual verification right after a rotation.Pattern source
Mirrors
@askalf/dario'snpm-token-health.yml— proven in production. Only differences:agent-marker prefix instead ofdario-, and the issue-body recovery recipe referencesgh run rerun(agent's publish workflow only fires onrelease: published) instead of dario's dispatch-able fallback.Test plan
npm-token-rotlabel on the repo (referenced by--labelin the issue-create step)gh workflow run npm-token-health.yml -R askalf/agent→ should pass (token is healthy, just minted today)