publishing to npm fails after publishing to GPR
Closed this issue Β· 38 comments
I have a workflow like this that's supposed to publish to npm once I publish to GPR:
name: Publish to npm
on: registry_package
jobs:
publish-npm:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- uses: actions/setup-node@v1
with:
node-version: 12
registry-url: https://registry.npmjs.org/
- run: npm install && npm publish
env:
NODE_AUTH_TOKEN: ${{secrets.npm_token}}I have the npm_token secret added to this repository.
When I just published to GPR, it kicked off this workflow job, but it failed at the last step of publishing to npm. The error was from npm saying:
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"What does this error mean, and how do I fix it? I don't see anything about setting "basic realm" in the recipes for this setup-node action.
One thing I notice off the bat is that your registry url is for npm (https://registry.npmjs.org/) not GitHub (https://npm.pkg.github.com) which means your auth will be set for npm as well. Could you try changing that and see if it fixes it?
I am trying to publish from GPR to npm, that's why the URL and token are for npm.
I also had the same issue, and fixed by creating ~/.npmrc like:
- run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_AUTH_TOKEN }}" > ~/.npmrc
- run: npm publishAccording to the examples provided for this repo for publishing to npm, presumably the with: registry_url: .. is supposed to be taking the place of a local npmrc, and I would also assume the NODE_AUTH_TOKEN environment variable is either something that this action uses or that the npm client itself uses.
The approach of echoing out an npmrc is not only hacky but also seems a bit dangerous given that we already have to have an npmrc in the repo to publish to GPR in the first place, which means effectively this echo is overwriting the file just before publish.
Sorry, misunderstood - any chance you can share your package.json file? Also, are you able to publish to npm locally with that package.json file?
Yes I have been publishing to npm directly (by just commenting out the line in my npmrc that directs the publish to GPR) each time that the github action has failed.
Here's the repo (with the package.json): https://github.com/getify/revocable-queue
I think because this is a scoped package, adding the scope parameter should do the trick. So:
name: Publish to npm
on: registry_package
jobs:
publish-npm:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- uses: actions/setup-node@v1
with:
node-version: 12
registry-url: https://registry.npmjs.org/
scope: getify
- run: npm install && npm publish
env:
NODE_AUTH_TOKEN: ${{secrets.npm_token}}
I'm not 100% sure how this will interact with a repo that has a .npmrc file already, but I think it should be fine
I just made the change and bumped the version to 3.0.4 to retry... failed with the same error:
npm notice 4.7kB test.js
npm notice 853B package.json
npm notice 16.7kB README.md
npm notice 109B copyright-header.txt
npm notice 1.1kB LICENSE.txt
npm notice === Tarball Details ===
npm notice name: @getify/revocable-queue
npm notice version: 3.0.4
npm notice package size: 11.3 kB
npm notice unpacked size: 33.9 kB
npm notice shasum: ea43f55fddddb1605129124fdba8b89bf4e1da15
npm notice integrity: sha512-Jvgdlz8eA02eN[...]ThmfISW3BAXYA==
npm notice total files: 11
npm notice
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"
npm ERR! A complete log of this run can be found in:
npm ERR! /home/runner/.npm/_logs/2019-09-04T19_56_58_223Z-debug.log
I don't think I have access to that npm debug log, so I can't see anything about why the authentication is failing. :/
I have the same problem trying to publish a package to private gemfury - the secrets/NODE_AUTH_TOKEN environment variable is not working correctly. I suspect its being overwritten with XXXXX-XXXXX-XXXXX-XXXXX but its hard to debug
https://github.com/actions/setup-node/blob/master/src/authutil.ts
adding these run commands to publish-npm helps a little
- run: printenv
- run: cat /home/runner/work/_temp/.npmrc
@mpwis nice find!
BTW, specifically I think it's this line that could be the problem: https://github.com/actions/setup-node/blob/master/src/authutil.ts#L57
This is a blocker for me to using Github Actions. I would really appreciate some more info on it.
Not sure that this adds much to the conversation but through the grapevine of (limit) google results and community searching, this has turned into a show-stopper for using Actions and GPR.
I'm getting the exact same errors as described above.
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"
Repo in question is https://github.com/paquette/react-components
Using the CLI I can publish to GPR no problem, but the authentication fails with Actions -- even though the process is nearly identical and as far as I can tell it's hooked up as documentation suggests.
The failing PR (and their associated checks) can be found in this PR https://github.com/paquette/react-components/pull/7
@pqt Just to be clear: Youβre talking about publishing to GitHub Package Registry only (not the npmjs.org registry)? Because Iβve got that working from within GitHub Actions, with this .npmrc
registry=https://registry.npmjs.org/
@tjanson:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}
In the workflow config, I donβt use any with: arguments for the Node setup (except node-version: '10.x'), and I set a personal access token (as secret) for the NODE_AUTH_TOKEN env var (I think the GITHUB_TOKEN would also work).
Is that what youβre trying to accomplish or am I totally misunderstanding you?
PS: That .npmrc is in the repo root, not at ~/.npmrc. Simply commited that file.
Nope you've got it correct @tjanson, the GITHUB_TOKEN doesn't seem to work, so I've cleared all reference to GPR publishing, and now going to be taking another stab at it with an NPM PAT.
Going to test what you've got though because it's already considerably more elegant than my 3 different locations of configurations.
Gotta sweet case of the GIT mondays going on. (Note the check failure π)
Publishing to GPR from Actions (what @pqt seems to be doing) and publishing to NPM from Actions (which, in my case, is triggered after first publishing to GPR) are separate topics.
However, they both seem to have the same symptom, which is that the Action doesn't seem to apply the correct credentials for the publishing (from npm secrets), and/or Actions is not properly using the "registry" setting from the Action. In some cases you can "hack" around this problem by just forcing your own .npmrc, but that's both a hack and runs contrary to the published documentation for this Action, so it shouldn't be "the solution".
In my case, since my project already has a npmrc in it, to redirect the initial publish to GPR in the first place, I do not think it's a suitable solution to somehow hack or override that npmrc during the Action to then redirect to npm.
Yeah, I see the difference now that you mention that @getify.
To clarify, my current situation is just trying to publish to GPR at all, which has proven to be unsuccessful out of the gates. I'll stay subscribed to the thread but our approaches seem to be different enough that it might warrant a separate issue entirely.
@getify even in you're running setup-node pointing to the npm registry you still have a .npmrc file in you repo, which point to GPR. This might explain why it's failing with an error about GPR auth, even though you're trying to publish to NPM.
Can you try deleting the local .npmrc?
name: Publish to npm
on: registry_package
jobs:
publish-npm:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- uses: actions/setup-node@v1
with:
node-version: 12
registry-url: https://registry.npmjs.org/
scope: getify
- run: rm .npmrc && npm install && npm publish
env:
NODE_AUTH_TOKEN: ${{secrets.npm_token}}As I said up-thread, overwriting (or, as you suggest, deleting) the .npmrc that's in the package is an ugly hack that I don't accept as a proper solution. I am expecting that setup-node figure out how to override my local .npmrc with the .npmrc they're generating, or otherwise redirect the npm publish command to force it to use the generated .npmrc, perhaps in the form of some parameter passed to the npm commands or something like that.
GPR requires you to have a .npmrc so that you can publish to GPR using the npm CLI tool. That's the only reason I have a .npmrc in the first place. Since I'm supposed to be able to publish from my command line to GPR, and then have that trigger Actions to publish to npm for me -- the main and indeed only use-case I have for Actions right now -- there needs to be a proper fix for how this setup-node handles the .npmrc files. I shouldn't have to "work around it"; this is supposed to be a first-class supported use-case.
Perhaps setup-node should not be relying on an npmrc for this config, and should instead inject the --registry=.. parameter (along with a shell reference to the NODE_AUTH_TOKEN env variable) into my npm install command?
I have a similar issue.
My action looks something like this:
name: Release
on:
release:
types: [published]
jobs:
release:
runs-on: ubuntu-latest
name: Release
steps:
- uses: actions/checkout@master
with:
fetch-depth: 1
- name: Install Node dependencies
run: yarn --frozen-lockfile
- name: Build
run: yarn build
- name: Publish to NPM registry
run: npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}I am getting this error
npm ERR! code E401
npm ERR! 401 Unauthorized - PUT https://registry.npmjs.org/vega-lite - You must be logged in to publish packages.
More details: https://github.com/vega/vega-lite/runs/238298497
This npm parameter can force the CLI tool to use a specific .npmrc file, so I think that's the best fix here:
https://docs.npmjs.com/misc/config#userconfig
The sticky part is, I could do that manually in my npm publish command, but then I'm hard-coding a specific path that I don't control (decided by this setup-node script), which means if this script sometime later decides to put the .npmrc in a different location, my builds start breaking.
So perhaps setup-node could create a .npmrc file in a location, and export whatever path that is as another environment variable, like NPMRC_PATH, and then my script could say:
npm --userconfig='$NPMRC_PATH' publish
I think that would fix the issue here in the most reasonable way.
Just an update, I have tried manually adding the --userconfig="/home/runner/work/_temp/.npmrc" flag onto my npm publish command, but it still failed. In some local testing, I'm believe I've concluded that the npm client doesn't actually respect this flag like it should. :/
I will probably report this is as a bug to npm.
Edit: I'm not positive this is a bug. It might be that npm is indeed using the specified npmrc (the one generated by setup-node) but ALSO using what it finds in my local .npmrc, which sets the @getify namespace to the GPR registry URL.
So if that's true, this may either be an issue where the generated .npmrc needs to include my namespace override to point to npm's URL... or it may be that there's a precedence issue, where npm is using the local npmrc in preference over configs it finds elsewhere. If the latter is true, this might not be a fixable problem after all. :/
Edit 2: I am sure now that npm is in fact using the file that I'm specifying with --userconfig=... So that's good. But the bad news is, npm seems to still use the local .npmrc, and worse it seems to use that one last, after the specified one, so the local setting is still winning, causing the error. I don't see any way to get around this using an .npmrc. :/
Edit 3: For clarification, I am 99% sure where the authentication error is coming from now. It's because my local .npmrc says: @getify:registry=https://npm.pkg.github.com/, which is required to redirect the npm client to publish to GPR. When the action tries to run npm publish, it's seeing that from the local .npmrc which means the action is trying to publish back to GPR instead of to npm, but it's trying to use the npm auth-token. Thus, the auth failure.
I can't figure out how to get the action to override the @getify:.. setting to point it at npm instead of GPR. :/
OK, I think I have finally cracked this problem.
I updated my workflow action YAML to have this npm-publish:
npm publish --@getify:registry=https://registry.npmjs.org/
That flag has the effect of overriding what's in the local .npmrc that redirected the original publish to GPR, so that actions can now publish to regular npm.
@getify - following up here. I'm glad you found a solution to your problem. Do you believe there's any action item for the setup-node action? Either a change or docs? Thanks!
It would be great if publishing worked in a minimal example such as #52 (comment).
Registry url seems to be ignored here https://github.com/phillmac/orbit-db-managers/blob/a50a35fca7b0d1b79871428b39deb8ecb1293edf/.github/workflows/npmpublish.yml#L40
even without a .npmrc present in the repo.
It results in a n error in the GPR publish:
npm ERR! 401 Unauthorized - PUT https://registry.npmjs.org/orbit-db-managers - You must be logged in to publish packages.
Any solution to this?
Hi all - here is a workflow that publishes to both NPMJS and GPR, without needing .npmrc workarounds:
Just replace <@OWNER> with appropriate scope (eg for me it would be @affrae), and use your version of npm_token
Is working at https://github.com/affrae/fib-tools
name: Publish to NPMJS and GPR
on:
push:
branches:
- master
jobs:
publish-to-npm-and-gpr:
runs-on: ubuntu-latest
steps:
# Checkout the repo
- uses: actions/checkout@master
# Update package version and set up git
- uses: actions/setup-node@master
- name: Update package version and setup git
run: |
git config user.name "Actions User"
git config user.email noreply@github.com
npm version 1.0.$(date +%s)
# Publish to NPMJS
- uses: actions/setup-node@master
with:
node-version: 12
registry-url: 'https://registry.npmjs.org/'
- name: Publish to NPMJS
run: |
npm config set //registry.npmjs.org/:_authToken=$NODE_AUTH_TOKEN
npm config set scope "<@OWNER>"
npm config list
npm publish --access public
env:
CI: true
NODE_AUTH_TOKEN: ${{secrets.npm_token}}
# Publish to GitHub Package Registry
- uses: actions/setup-node@master
with:
node-version: 12
registry-url: https://npm.pkg.github.com/
scope: '<@OWNER>'
- name: Publish to GitHub Package Registry
run: npm publish
env:
NODE_AUTH_TOKEN: ${{github.token}}FWIW, this issue is not about "publishing to both npm and GPR". It's about publishing to npm after publishing to GPR, which in the case of having a .nmprc file, AND the npm package being scoped the same as the GPR package, presents this specific problem I was having.
Unclear if others will ever be in exactly that specific scenario.
I understand - but what if you try my Publish to NPMJS step, using the npm config commands and and env I used? I had problems publishing to npm as well until I used those. I would hope that the config commands would override those in the .npmrc file and I had not seen anyone mention npm config until now.
I didn't try npm config commands -- interesting idea -- but I did essentially configure npm via command-line flags, as mentioned in this comment: #52 (comment)
Not sure if this helps, I was also running into this... I was just missing the @org-name from the name. Also, the publishConfig is the alternative to using the .npmrc; which I understand you don't want to do.
So your package.json would look like this:
"name": "@org-name/package-name",
"version": "1.0.0",
"publishConfig": {
"registry": "https://npm.pkg.github.com/"
},
"repository": {
"type": "git",
"url": "git://github.com/org-name/repository-name.git"
}
}
Only add repository if I want to have the package name to be different from repo.
Hope that helps.
Hi All,
I have another solution. Only the package.json registry would work, and the bash registry setting doesn't work on GPR publishing! So I copied the registry on package.json right before publishing!
May you look at this gist please! π
I doubt others will be in such a specific situation as I was, especially given now that github owns npm and will probably more closely integrate the two. I expect eventually this is a non-issue. Closing for now.
I found the solution for this @getify You basically need to publish your package as private
FWIW, this issue is not about "publishing to both npm and GPR". It's about publishing to npm after publishing to GPR, which in the case of having a .nmprc file, AND the npm package being scoped the same as the GPR package, presents this specific problem I was having.
Unclear if others will ever be in exactly that specific scenario.
I am in a very similar scenario. I have been publishing my private package to GPR and now I am taking it public to npm. I have .npmrc in my repo. All attempts to publish to npm after GPR have failed, although I specify my scope, the correct registry, etc... Puzzling.
I am really not a pro, but it seems you are trying to publish to github packages, and in your .npmrc you have :
registry=https://registry.npmjs.org/
...
Could this be the problem ?