Skip to content

Action modifies user's npmrc #15

New issue
New issue
Closed
#84
Closed
Action modifies user's npmrc#15
#84
Labels
bugSomething isn't working
@honzabilek4

Description

@honzabilek4
honzabilek4
opened on Oct 5, 2020 · edited by honzabilek4

I get the following error when using this action as github workflow using self hosted runner. It doesn't fail the build and it happens to all npm commands in the job.

Run npm ci
Error: Failed to replace env in config: ${INPUT_TOKEN}
    at /home/ubuntu/actions-runner/_work/_tool/node/14.13.0/x64/lib/node_modules/npm/lib/config/core.js:415:13
    at String.replace (<anonymous>)
    at envReplace (/home/ubuntu/actions-runner/_work/_tool/node/14.13.0/x64/lib/node_modules/npm/lib/config/core.js:411:12)
    at parseField (/home/ubuntu/actions-runner/_work/_tool/node/14.13.0/x64/lib/node_modules/npm/lib/config/core.js:389:7)
    at /home/ubuntu/actions-runner/_work/_tool/node/14.13.0/x64/lib/node_modules/npm/lib/config/core.js:330:24
    at Array.forEach (<anonymous>)
    at Conf.add (/home/ubuntu/actions-runner/_work/_tool/node/14.13.0/x64/lib/node_modules/npm/lib/config/core.js:328:23)
    at ConfigChain.addString (/home/ubuntu/actions-runner/_work/_tool/node/14.13.0/x64/lib/node_modules/npm/node_modules/config-chain/index.js:244:8)
    at Conf.<anonymous> (/home/ubuntu/actions-runner/_work/_tool/node/14.13.0/x64/lib/node_modules/npm/lib/config/core.js:316:10)
    at /home/ubuntu/actions-runner/_work/_tool/node/14.13.0/x64/lib/node_modules/npm/node_modules/graceful-fs/graceful-fs.js:123:16

Here's my workflow file:

name: CI
on: [push, pull_request]
jobs:
  execute:
    runs-on: self-hosted
    steps:
    - name: Set work folder permissions    
      run: pwd && sudo chown -R $USER:$USER ./
    - uses: actions/checkout@v2
    - name: Setup Node.js environment
      uses: actions/setup-node@v1.4.4
      with:
        node-version: 14.x
    - name: Cache node modules
      uses: actions/cache@v1
      env:
        cache-name: cache-node-modules
      with:
        path: ~/.npm # npm cache files are stored in `~/.npm` on Linux/macOS
        key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
        restore-keys: |
          ${{ runner.os }}-build-${{ env.cache-name }}-
          ${{ runner.os }}-build-
          ${{ runner.os }}-
    - name: Install dependencies
      run: npm ci
    - name: Run linter
      run: npm run lint
    - name: Run unit tests
      run: npm run test    
    - name: Build project
      run: npm run build
    - name: Publish to npm 
      uses: JS-DevTools/npm-publish@v1
      if: github.ref == 'refs/heads/master'
      with:
        token: ${{ secrets.NPM_AUTH_TOKEN }}

Edit:
After playing around a bit, I was able to do a workaround by setting INPUT_TOKEN to empty string.

    env: 
      INPUT_TOKEN: ''

Activity

kevindra
added 2 commits that reference this issue on Oct 13, 2020

🐛 (ALL) Fixing the INPUT_TOKEN issue in the github npm_publish action

a9c3c23

🐛 (ALL) Previous fix for INPUT_TOKEN was an error, fixed it now.

2d07bfd
alexanderbird
added a commit that references this issue on Nov 8, 2020

Work-around for github actions INPUT_TOKEN error

0cb2d33
technote-space
mentioned this on Dec 22, 2020
JamesMessinger

JamesMessinger commented on Jan 2, 2021

@JamesMessinger
JamesMessinger
on Jan 2, 2021
Member

For security reasons, this GitHub Action does not write your NPM auth token to the ~/.npmrc file like some other GitHub Actions do. Instead, it writes an environment variable placeholder named INPUT_TOKEN.

However, the bug that you've discovered is that this action leaves that placeholder in your ~/.npmrc file even after the publish step has finished. In many workflows this is fine, since the publish step is the final step of the workflow. But in your case, you're using the cache action as well, and I believe that action is caching the ~/.npmrc file, which results in subsequent runs of your workflow failing because the ~/.npmrc file references a non-existent environment variable named INPUT_TOKEN.

Ultimately, this is a bug 🐛 in this GitHub Action. It should restore the ~/.npmrc file to its original state after running. But, in the meantime, there are a couple workarounds you could use:

Workarounds

  1. Define an environment variable named INPUT_TOKEN in your workflow.

-- OR --

  1. Remove the cache action from your workflow, so each build starts with a fresh state
JamesMessinger
added
bugSomething isn't working
on Jan 2, 2021
amanpahariya

amanpahariya commented on May 22, 2021

@amanpahariya
amanpahariya
on May 22, 2021 · edited by amanpahariya

I am also getting the same problem when writing any command related to npm. So I solved by node or nodemon. so when you want to start your server use the node and when you want to install any package just remove this and then install it will work.

//registry.npmjs.org/:_authToken=${INPUT_TOKEN}
It will work in both react and node.js for me. Run react also by node by creating own server.js file like in node.js By this, I successfully deployed my application on Heroku.
And in production give your env variable on the server where your are deploying and in your own machine put it in .bash_profile and put it in .gitignore

amanpahariya

amanpahariya commented on Jun 7, 2021

@amanpahariya
amanpahariya
on Jun 7, 2021

I am also getting this problem but I find a solution when I am pushing my repo on Heroku so I notice that Heroku run the command react-script start or build

//registry.npmjs.org/:_authToken=${INPUT_TOKEN}
so this syntax didn't give the error but when I use the same syntax in my system and run the command it gives me.
Because usually when we run in our system we use cmd npm or yarn but if you use react-script then it will not gives an error

amir0ff

amir0ff commented on Jul 12, 2021

@amir0ff
amir0ff
on Jul 12, 2021 · edited by amir0ff

as @JamesMessinger say this definitely a bug 🐛

was able to fix this by setting up the ~/.npmrc file and defining INPUT_TOKEN in the job:

jobs:
  build_test_deploy:
    env:
      INPUT_TOKEN: ${{ secrets.NPM_TOKEN }}

- name: 🔧 Setup .npmrc file for publish
  uses: actions/setup-node@v2
  with:
    node-version: ${{ matrix.node-version }}
    registry-url: 'https://registry.npmjs.org'
WilliamKelley
added a commit that references this issue on Jul 30, 2021

chore: fix build failure about env.INPUT_TOKEN

9189012
Akkii4

Akkii4 commented on Mar 19, 2022

@Akkii4
Akkii4
on Mar 19, 2022

you can also replace the INPUT_TOKEN with your own GitHub generated personal token

wcandillon
added a commit that references this issue on Apr 8, 2022

Fix documentation deployment step

badf7ca
polnikale
mentioned this on Jul 21, 2022
t3chguy

t3chguy commented on Sep 30, 2022

@t3chguy
t3chguy
on Sep 30, 2022

This would be great it if it was documented, I was bashing my head as to why npm dist-tags commands after this publish action weren't working with NODE_AUTH_TOKEN as set by setup-node until I realised this uses a different envvar name. Maybe instead you could align it with setup-node to NODE_AUTH_TOKEN andpartially prevent this unexpected behaviour

Related fix https://github.com/matrix-org/matrix-js-sdk/pull/2717/files

limzykenneth
added a commit that references this issue on Oct 18, 2022

Fix release action error due to unset secret

aef468c

15 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @t3chguy@mcous@JamesMessinger@honzabilek4@Akkii4

      Issue actions
        Action modifies user's npmrc · Issue #15 · JS-DevTools/npm-publish