setup-node: Change of registry is being ignored

Somehow manually creating .npmrc on every workflow step doesn’t help

Have you tried setting scope to your GH and NPM registry username (respectively) as input for setup-node when you’re trying to set / change registries?

Changing the scope doesn’t change anything.

- uses: actions/setup-node@v4
  with:
    registry-url: https://npm.pkg.github.com
    scope: "@natoboram"
- run: pnpm publish --access public --no-git-checks
  env:
    NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- uses: actions/setup-node@v4
  with:
    registry-url: https://registry.npmjs.org
    scope: "@natoboram"
- run: pnpm publish --access public --no-git-checks
  env:
    NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

You can use the CLI reproduce the actions taken by actions/setup-node@v4.

- run: |
    pnpm config set @natoboram:registry 'https://npm.pkg.github.com' --location project
    pnpm config set //npm.pkg.github.com/:_authToken '${NODE_AUTH_TOKEN}' --location project
    pnpm publish --access public --no-git-checks
  env:
    NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- run: |
    pnpm config set @natoboram:registry 'https://registry.npmjs.org' --location project
    pnpm config set //registry.npmjs.org/:_authToken '${NODE_AUTH_TOKEN}' --location project
    pnpm publish --access public --no-git-checks
  env:
    NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

---

After digging a bit more in the source code, I realized something.

https://github.com/actions/setup-node/blob/d86ebcd40b3cb50b156bfa44dd277faf38282d12/src/authutil.ts#L7-L17

The .npmrc file it’s changing isn’t the one in the project, it’s the global one. This means its changes can be overridden by the project’s .npmrc. But, more importantly, it means that if you have private packages set by your local .npmrc, then this action doesn’t help you at all.

I used act to debug the action and see what happens. After setting up actions/setup-node@v4 twice, I ran cat ${{ runner.temp}}/.npmrc. This is the result:

//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}
always-auth=false
//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}
@natoboram:registry=https://registry.npmjs.org/

So, the action works.

TL;DR: Unset the scope in your project’s .npmrc during your GitHub Workflow. Make sure to do it after pnpm install.

pnpm config delete @natoboram:registry --location project

Thanks @piranna. I changed to use a node container instead of this action, and I’m configuring .npmrc explicitly

Yes, issue still happens, and using several jobs solved It, but it’s a waste of resources because will need to download the project and dependencias a generate the package múltiple times, instead of just doing an extra upload to the second registry.

@piranna understood, thank you for the follow-up! Just to confirm, have you tried setting the appropriate scope in any case (for both GHR and NPM registry, but primarily for NPM since it seems to be the problematic one here)? I’m only asking because it has been failing for me as well when I was performing the repro steps (and with the same error) until I set the scope properly, so I thought mentioning that could possibly help solve this problem.

In any case, we will also consider the first part of your reply (about working with .npmrc) and see what can be done on that front. We appreciate the suggestion 😃

Thank you for your timely feedback, patience and cooperation!

Having same issue

Hello again, @piranna ! I’ve looked into this issue and I think I may have a potential solution to suggest. Have you tried setting scope to your GH and NPM registry username (respectively) as input for setup-node when you’re trying to set / change registries? It could be an important setting to make, as I see that, for one reason or the other, it is failing to authenticate you once you try to publish it to NPM.

In addition to that, another step that seemed to have worked for me was to append to .npmrc directly in the workflow, like:

echo "//registry.npmjs.org/:_authToken=${{secrets.NPM_TOKEN}}" >> .npmrc

However, I would like to add that the latter step might not be necessary at all, so you can try just setting the scope for both GHR and NPM first, and then try combining it with the other suggestion.

Edit: I forgot to add this in my previous version of this reply, but please also make sure that your NPM token is properly configured (for automation primarily) and that it has been added as a repository secret in your Settings.

If this doesn’t solve your problem, please feel free to reach out again and we will try to investigate further. Alternatively, if this proves to be successful, you can, of course, also ping me and let me know 😃

Thank you very much for your patience and cooperation!