[npm ERR! 403 Forbidden]: Failed step "verifyConditions" of plugin "@semantic-release/npm"

[hamzahamidi]

Current behavior

I can't publish the repository via Github action
This is the repository.
I generated npm token for automation by following the npm documentation then I set the repository secret NPM_TOKEN
This my config:

name: Release
on:
  push:
    branches:
      - main
jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - name: Setup Node.js
        uses: actions/setup-node@v1
        with:
          node-version: 12
      - name: Install dependencies
        run: npm ci
      - name: Install @semantic-release dependencies
        run: npm install -D @semantic-release/commit-analyzer @semantic-release/release-notes-generator @semantic-release/changelog @semantic-release/npm @semantic-release/git
      - name: Build packages
        run: npm run build
      - name: Release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: npx semantic-release

Expected behavior

Environment

.releaserc.json

{    
    "branches": ["main"],
    "plugins": [
        "@semantic-release/commit-analyzer",
        "@semantic-release/release-notes-generator",
        "@semantic-release/changelog",
        [
            "@semantic-release/npm",
            {
            "pkgRoot": "dist/"
            }
        ],
        "@semantic-release/git"
    ]
}

• CI logs:

Run npx semantic-release
npx: installed 751 in 14.131s
[1:25:02 AM] [semantic-release] › ℹ  Running semantic-release version 17.2.2
[1:25:02 AM] [semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/changelog"
[1:25:02 AM] [semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/npm"
[1:25:02 AM] [semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/git"
[1:25:02 AM] [semantic-release] › ✔  Loaded plugin "analyzeCommits" from "@semantic-release/commit-analyzer"
[1:25:02 AM] [semantic-release] › ✔  Loaded plugin "generateNotes" from "@semantic-release/release-notes-generator"
[1:25:02 AM] [semantic-release] › ✔  Loaded plugin "prepare" from "@semantic-release/changelog"
[1:25:02 AM] [semantic-release] › ✔  Loaded plugin "prepare" from "@semantic-release/npm"
[1:25:02 AM] [semantic-release] › ✔  Loaded plugin "prepare" from "@semantic-release/git"
[1:25:02 AM] [semantic-release] › ✔  Loaded plugin "publish" from "@semantic-release/npm"
[1:25:02 AM] [semantic-release] › ✔  Loaded plugin "addChannel" from "@semantic-release/npm"
[1:25:03 AM] [semantic-release] › ✔  Run automated release from branch main on repository https://github.com/hamzahamidi/playground-npm.git
[1:25:03 AM] [semantic-release] › ✔  Allowed to push to the Git repository
[1:25:03 AM] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/changelog"
[1:25:03 AM] [semantic-release] › ✔  Completed step "verifyConditions" of plugin "@semantic-release/changelog"
[1:25:03 AM] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/npm"
[1:25:03 AM] [semantic-release] [@semantic-release/npm] › ℹ  Verify authentication for registry https://registry.npmjs.org/
[1:25:03 AM] [semantic-release] [@semantic-release/npm] › ℹ  Wrote NPM_TOKEN to /tmp/a3cb85b51ec075d649e1a61aa09906d2/.npmrc
npm ERR! code E403
npm ERR! 403 403 Forbidden - GET https://registry.npmjs.org/-/whoami
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/runner/.npm/_logs/2020-11-07T01_25_04_376Z-debug.log
[1:25:04 AM] [semantic-release] › ✖  Failed step "verifyConditions" of plugin "@semantic-release/npm"
[1:25:04 AM] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/git"
[1:25:04 AM] [semantic-release] › ✔  Completed step "verifyConditions" of plugin "@semantic-release/git"
[1:25:04 AM] [semantic-release] › ✖  EINVALIDNPMTOKEN Invalid npm token.
The npm token (https://github.com/semantic-release/npm/blob/master/README.md#npm-registry-authentication) configured in the NPM_TOKEN environment variable must be a valid token (https://docs.npmjs.com/getting-started/working_with_tokens) allowing to publish to the registry https://registry.npmjs.org/.

If you are using Two-Factor Authentication, make configure the auth-only level (https://docs.npmjs.com/getting-started/using-two-factor-authentication#levels-of-authentication) is supported. semantic-release cannot publish with the default auth-and-writes level.

Please make sure to set the NPM_TOKEN environment variable in your CI with the exact value of the npm token.

AggregateError: 
    SemanticReleaseError: Invalid npm token.
        at module.exports (/home/runner/.npm/_npx/2618/lib/node_modules/semantic-release/node_modules/@semantic-release/npm/lib/get-error.js:6:10)
        at module.exports (/home/runner/.npm/_npx/2618/lib/node_modules/semantic-release/node_modules/@semantic-release/npm/lib/verify-auth.js:26:33)
    at /home/runner/.npm/_npx/2618/lib/node_modules/semantic-release/lib/plugins/pipeline.js:54:11
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async Object.pluginsConf.<computed> [as verifyConditions] (/home/runner/.npm/_npx/2618/lib/node_modules/semantic-release/lib/plugins/index.js:80:11)
    at async run (/home/runner/.npm/_npx/2618/lib/node_modules/semantic-release/index.js:95:3)
    at async module.exports (/home/runner/.npm/_npx/2618/lib/node_modules/semantic-release/index.js:260:22)
    at async module.exports (/home/runner/.npm/_npx/2618/lib/node_modules/semantic-release/cli.js:55:5)
Error: Process completed with exit code 1.

Link to CI logs

[travi]

please see semantic-release/npm#277

[hamzahamidi]

Thanks @travi . As I suspected automation token can't handle whoami. I'm closing this in favor of semantic-release/npm#277