fix(ci): strip stale _authToken so OIDC Trusted Publisher actually fires on Release#6
Merged
Merged
Conversation
… fires
Symptom: every `npm publish --provenance` step in the Release workflow
fails with `npm error 404 Not Found - PUT registry.npmjs.org/...`, even
though npm Trusted Publisher is correctly configured for @fetchproxy/*.
Cause: `setup-node` with `registry-url:` writes a .npmrc that says
`//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}`. We don't pass
NPM_TOKEN as a secret (the whole point is OIDC), so GitHub Actions
expands NODE_AUTH_TOKEN to the masked placeholder
`XXXXX-XXXXX-XXXXX-XXXXX`. npm picks up the placeholder as a static
auth token, tries it against the registry first, gets rejected, and
returns a privacy-preserving 404 instead of falling through to OIDC.
Fix: strip the `_authToken` line (in addition to the existing
`always-auth` strip) before `npm publish`. With no static auth in
.npmrc, npm publish takes the OIDC path that Trusted Publisher
expects, and provenance + publish both succeed.
Dump the final .npmrc to the log so future debugging has a record
of what npm actually sees.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Strip
_authTokenfrom the.npmrcthatsetup-nodegenerates, sonpm publish --provenancehas no stale placeholder static-token to try before falling through to OIDC. Trusted Publisher is correctly configured on the npm side — this just removes the foot-gun in the workflow.Why
Every release run since Trusted Publisher was set up has failed with:
Diagnostic readout from the failed run:
XXXXX-XXXXX-XXXXX-XXXXXis GitHub Actions' masked rendering of an empty masked value. We don't passNPM_TOKEN(the whole point is OIDC), soNODE_AUTH_TOKENis empty — butsetup-nodealready wrote//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}into.npmrc, which npm picks up as "the user has a static token to use." It tries that placeholder before OIDC, the registry rejects, and the privacy-preserving 404 hides the actual failure mode.Notable: the provenance / sigstore step worked (
Provenance statement published to transparency log: ...) — which means OIDC IS reachable. npm just never tries it for the actual PUT, because the static token is "available."Fix
Add a second
sedto the cleanup step that already stripsalways-auth:Then dump the final
.npmrcto the log so future debugging has a record of what npm actually sees.Test plan
NPM_TOKENsecret defined for this repo🤖 Generated with Claude Code