Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document of publish with NPM_TOKEN not accurately while use actions/setup-node #132

Open
zthxxx opened this issue Jan 6, 2022 · 3 comments
Open

Document of publish with NPM_TOKEN not accurately while use actions/setup-node #132

zthxxx opened this issue Jan 6, 2022 · 3 comments

Comments

@zthxxx
Copy link

zthxxx commented Jan 6, 2022
edited
Loading

I have made a POC commit and action here:

  1. it use actions/setup-node, with the registry-url params
  2. list all the npmrc for debug
  3. drop NODE_AUTH_TOKEN for changesets/action

There is no doubt, this commit will make action status from success to failure.

Reason

As the annotation in screenshot, actions/setup-node with the registry-url params will create "user" config .npmrc with _authToken=${NODE_AUTH_TOKEN},

but it at ~/work/_temp/.npmrc not ~/.npmrc, as well as the userconfig field point to ~/work/_temp/.npmrc.

That's said in GitHub Actions Docs - Publishing packages to the npm registry.

So that changesets/actions create and setup _authToken will not work.

Therefore, without the registry-url params, the action will success (POC: action log | commit),
or set the NODE_AUTH_TOKEN env, the action will also success (POC: action log | commit)

Proposed

Maybe update the document about that case? A lot of people are using setup-node and registry-url
@zthxxx
Copy link
Author

zthxxx commented Jan 6, 2022

Also that's relate to #106

This was referenced Jan 6, 2022
Open
Closed
@Andarist
Copy link
Member

We've kinda wanted to deprecate the built-in authentication - the code for it still has to be in the project cause we don't want to release a new major version now but we should remove mentions of that from the docs.

One of the problems that we have wanted to solve by that is better compatibility with Yarn Berry. They are not using .npmrc at all and trying to figure out how to properly set up auth credentials for a given project while making sure that we don't override anything is annoying and error-prone. By making users just set up the auth with setup-node or their own scripts we just remove the problem altogether, by shifting this responsibility to more suited places.

@tkow
Copy link

tkow commented Dec 29, 2022
edited
Loading

I encountered that today, if we don't have .npmrc in .gitignore, this action generates .npmrc with no masked npm token and commit it due to this code automatically when publishing a library. It has potential risks to leak npm token if we use public repositories so that I must have replaced all npm tokens instead of leaked tokens.

I think creating .npmrc should not be default behavior.
Or replace //registry.npmjs.org/:_authToken=${process.env.NPM_TOKEN}\n to '//registry.npmjs.org/:_authToken=${NPM_TOKEN}\n'.
A .npmrc file can usually read directly os environment variables and be safe if the file is committed, because NPM_TOKEN itself is not written in the file if you create accidentally .npmrc file.

Please consider it.

@tkow tkow mentioned this issue Dec 31, 2022
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tkow @Andarist @zthxxx