Use NPM_TOKEN and NPM_AUTH_TOKEN authentication

[Sytten]

Coming from yarn, I would have expected it to support the environment variables out of the box but it doesn't.
I did lose a lot of time on this. I also tried to put the registry in the with of the action-setup, but it doesn't work.

pnpm version: 5.17.1

Code to reproduce the issue:

1. Create a package
2. Create a Github action:

name: Publish packages on NPM
on:
  release:
    types: [published]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v1
        with:
          node-version: '14.x'
      - uses: pnpm/action-setup@v1.2.1
        with:
          version: 5.17.1
      - run: pnpm install -r --frozen-lockfile
      - run: pnpm run -r build
      - run: pnpm -r publish --no-git-checks --access public
        env:
          NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}

3. Try to publish

Expected behavior:

It can publish successfully.

Actual behavior:

It errors out with a 404:
npm ERR! code E404
npm ERR! 404 Not Found - PUT https://registry.npmjs.org/@graphmetrics%2fcore - Not found
npm ERR! 404
npm ERR! 404 '@graphmetrics/core@0.1.1' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

Additional information:

• node 14
• Linux

[zkochan]

This doesn't seem to be supported by the npm CLI. I could not find these variables in their docs.

Currently, you can workaround this by creating a .npmrc file in the root of your project with the next content:

//registry.npmjs.org/:_authToken=${NPM_AUTH_TOKEN}

[Sytten]

A quick search yields: https://docs.npmjs.com/using-private-packages-in-a-ci-cd-workflow#set-the-token-as-an-environment-variable-on-the-cicd-server

Yeah thats what I did.

[zkochan]

So is it solved then? This information was added to our docs: https://pnpm.js.org/npmrc#url_authtoken

[Sytten]

I mean it works if you want to leave it at that, I would go one step further and just use the token directly instead of forcing the user to setup the URL. Meaning this should work:

      - run: pnpm -r publish --no-git-checks --access public
        env:
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

[venikx]

NPM's .npmrc syntax for env variables is //registry.npmjs.org/:_authToken=${NPM_TOKEN} vs //registry.npmjs.org/:_authToken={NPM_TOKEN} of pnpm. The pnpm one is missing a dollar sign in front of the brackets. Is that intentional?

[zkochan]

@venikx for pnpm the dollar sign should be used as well. So it is the same for pnpm as for npm.

[iRoachie]

Just ran into this issue but with github package registry. Nothing here or in the docs worked. In my case I was installing a private package.

What I tried, that failed:

# workflow file

- name: Install dependencies
  run: pnpm recursive install
  env:
    NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

# .npmrc at root of directory
//npm.pkg.github.com/:_authToken=${NPM_TOKEN}
@my-scope:registry=https://npm.pkg.github.com

So yea this doesn't work. What worked for me was changing the setup-node action:

# workflow file

- name: Setup Node
  uses: actions/setup-node@v2
  with:
    node-version-file: '.nvmrc'
    cache: 'pnpm'
    registry-url: 'https://npm.pkg.github.com' // Key part

- name: Install dependencies
  run: pnpm recursive install
  env:
    NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

This works without having to specify //npm.pkg.github.com/:_authToken=${NPM_TOKEN} in the .npmrc

[shellscape]

@zkochan I'd like to revisit using an environment variable by default, without additional user setup. While it's not particularly burdensome for CI environments, it can be a royal pain in Dockerfiles where the "how" of setting that up depends on the base image, and requires a lot of intrinsic knowledge.

[zkochan]

I don't have objections.

[cupcakearmy]

Facing the same issue here

[unadlib]

any updates?

[PabloSzx]

I don't have objections.

no updates on this?

[zkochan]

If you want an issue to be more noticeable it is better to upvote it. Posting new messages is not effective as there are tens of messages every day that I don't have capacity to read.

[zkochan]

It appears that this is already possible.

You can use the npm_config__authtoken env variable to set the auth token:

npm_config__authtoken=xxxx

This also works:

npm_config_//registry.npmjs.org/:_authtoken=xxx

[zkochan]

It appears that these env settings currently don't work because we run npm under the hood but we don't send private settings to it.

EDIT:
no, actually it seems to work.

The reason it didn't work for me was that I was calling pnpm publish from a script. But pnpm run removes the tokens before running the script. So I am running publish directly now: e32972d
Probably we could add some warning when pnpm run removes tokens. As it is hard to understand what went wrong.

[cupcakearmy]

@zkochan Good to know :)
just to make it clear: "from a script" means from an pnpm script and not a bash script right?

[zkochan]

Yes, for instance, if you add a release script that runs pnpm publish and then you run pnpm run release. Then it won't work.

[VividLemon]

It appears that these env settings currently don't work because we run npm under the hood but we don't send private settings to it.

EDIT: no, actually it seems to work.

The reason it didn't work for me was that I was calling pnpm publish from a script. But pnpm run removes the tokens before running the script. So I am running publish directly now: e32972d Probably we could add some warning when pnpm run removes tokens. As it is hard to understand what went wrong.

So, did this work at some point but not anymore? My previous script, similar to your previous, broke my ci.
Before:

      - name: Publish 
        run: pnpm publish --tag latest --filter bootstrap-vue-3 --access=public
        env:
          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}

This worked before, but no longer works correctly. And using env: "npm_config_//registry.npmjs.org/:_authToken": ${{ secrets.NPM_TOKEN }} Didn't work either.

[zkochan]

NODE_AUTH_TOKEN only worked if npm CLI worked with it. pnpm never had support for the NODE_AUTH_TOKEN env variable. But pnpm publish run npm publish under the hood, so if npm publish supports it than it will work.

[VividLemon]

NODE_AUTH_TOKEN only worked if npm CLI worked with it. pnpm never had support for the NODE_AUTH_TOKEN env variable. But pnpm publish run npm publish under the hood, so if npm publish supports it than it will work.

Ok, I'll try to continue to figure out the issue. Thanks

[tobiasdiez]

For me neither of the recommended env variables npm_config_xyz of #3141 (comment) worked. They all lead to the error

npm ERR! need auth This command requires you to be logged in to https://registry.npmjs.org/
npm ERR! need auth You need to authorize this machine using `npm adduser`

For github action writing to the npmrc file is a workaround:

      - name: Config npm
        run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc
        env:
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
      - name: Publish to npm
        run: pnpm publish --access public --no-git-checks

[VividLemon]

For me neither of the recommended env variables npm_config_xyz of [#3141 (comment)]

For anyone that cares. I managed to solve all of my issues. Read this reading helped here . The issue stemmed from the removal of registry-url: 'https://registry.npmjs.org' in the actions/setup-node@v3. If you include that registry url, npm publish, and subsequently pnpm publish will manage to get the env NODE_AUTH_TOKEN. The error is vague in that it gives something generic, rather then saying missing auth credentials. I documented my full list of issues and how I solved them here. The central issue could be fixed by not utilizing actions/setup-node@v3, but I feel that it's better. I managed to have this work as well, but switched to the method above:

      - name: Set publishing config
        run: pnpm config set '//registry.npmjs.org/:_authToken' "${NODE_AUTH_TOKEN}"
        env:
          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
        
      - name: Publish
        run: pnpm publish --tag latest --filter bootstrap-vue-3 --access=public