ci: fix npm publish (replace deprecated npm-publish@v1)#4
Merged
Conversation
…publish v1 erroneously writes auth to .npmrc in a way that breaks on the runner's modern npm/Node 24, causing unauthenticated PUT -> E404 despite a valid token. Use the npm-documented NODE_AUTH_TOKEN + .npmrc pattern instead.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Root cause of the 2.4.0 publish failures
After the .NET 6 fix, Build/Test/pack all pass, but the Publish step fails with
E404 PUT @fairfleet%2fgeotabeven with a token verified to have@fairfleet/geotab: read-write. A 404-on-PUT with a valid token = the request reached npm unauthenticated.Cause:
JS-DevTools/npm-publish@v1is deprecated (current v4) and has a known bug — it erroneously writes auth to.npmrcin a way that no longer works with the runner's modern npm / forced Node 24. The token never reaches npm.Fix
Replace the action with the npm-documented CI publish pattern: write
//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}and runnpm publish --access publicfromdist/, withNODE_AUTH_TOKENfrom theNPM_TOKENsecret. Tag/push steps now gate onif: success()(the removed action'soutputs.typeno longer exists).Effect
Merging re-triggers
publish.yaml; with auth actually applied, 2.4.0 publishes (npm currently 2.3.0) andv2.4.0is tagged.Note: other actions (checkout@v2, cache@v3, codecov@v3, pnpm-action@v2) emit Node-20 deprecation warnings but still work — out of scope here.