ci(spec): remove obsolete gen/node/.npmrc (trusted publishing)#205
Merged
Conversation
This file was added in #61 for token-based npm publishing. Since #204 switched the node package to OIDC trusted publishing, it is no longer needed and is actively harmful: it pins `_authToken=${NODE_AUTH_TOKEN}`, and with that env var now unset in CI the empty token overrides the OIDC credential and the publish fails with a 404. The other two lines (registry and @utxorpc:registry) only restate npm defaults. npm never includes .npmrc in the published tarball, so removing it has no effect on consumers. Refs #204.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Follow-up to #204. That PR moved the node package to OIDC trusted publishing and removed
NODE_AUTH_TOKENfrom the workflow, butgen/node/.npmrc(added in #61 for the old token flow) was left behind.With
NODE_AUTH_TOKENnow unset, its//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}line injects an empty token that overrides the OIDC credential — publish fails with a masked404. This was reproduced locally and is the latent CI failure #204 didn't fully resolve.Change
git rm gen/node/.npmrc. All three lines are now either redundant or harmful:registry=/@utxorpc:registry=— only restate npm defaults._authToken=${NODE_AUTH_TOKEN}— breaks OIDC auth.Trusted publishing needs no
.npmrc(npm ≥ 11.5.1 handles auth via OIDC). npm never includes.npmrcin the published tarball, so no effect on consumers.Refs #204.
🤖 Generated with Claude Code