setup-node: publishing to npm fails after publishing to GPR

@pqt Just to be clear: You’re talking about publishing to GitHub Package Registry only (not the npmjs.org registry)? Because I’ve got that working from within GitHub Actions, with this .npmrc

registry=https://registry.npmjs.org/
@tjanson:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}

In the workflow config, I don’t use any with: arguments for the Node setup (except node-version: '10.x'), and I set a personal access token (as secret) for the NODE_AUTH_TOKEN env var (I think the GITHUB_TOKEN would also work).

Is that what you’re trying to accomplish or am I totally misunderstanding you?

PS: That .npmrc is in the repo root, not at ~/.npmrc. Simply commited that file.

I also had the same issue, and fixed by creating ~/.npmrc like:

- run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_AUTH_TOKEN }}" > ~/.npmrc
- run: npm publish

Hi all - here is a workflow that publishes to both NPMJS and GPR, without needing .npmrc workarounds:

Just replace <@OWNER> with appropriate scope (eg for me it would be @affrae), and use your version of npm_token

Is working at https://github.com/affrae/fib-tools

name: Publish to NPMJS and GPR

on:
  push:
    branches:
      - master

jobs:
  publish-to-npm-and-gpr:
    runs-on: ubuntu-latest
    steps:
      
      # Checkout the repo
      - uses: actions/checkout@master
        
      # Update package version and set up git
      - uses: actions/setup-node@master
      - name: Update package version and setup git
        run: |
          git config user.name "Actions User"
          git config user.email noreply@github.com
          npm version 1.0.$(date +%s)

      # Publish to NPMJS
      - uses: actions/setup-node@master
        with:
          node-version: 12
          registry-url: 'https://registry.npmjs.org/'
      - name: Publish to NPMJS
        run: |
          npm config set //registry.npmjs.org/:_authToken=$NODE_AUTH_TOKEN
          npm config set scope "<@OWNER>"
          npm config list
          npm publish --access public 
        env:
          CI: true
          NODE_AUTH_TOKEN: ${{secrets.npm_token}}

      # Publish to GitHub Package Registry
      - uses: actions/setup-node@master
        with:
          node-version: 12
          registry-url: https://npm.pkg.github.com/
          scope: '<@OWNER>'
      - name: Publish to GitHub Package Registry
        run: npm publish
        env:
          NODE_AUTH_TOKEN: ${{github.token}}

Publishing to GPR from Actions (what @pqt seems to be doing) and publishing to NPM from Actions (which, in my case, is triggered after first publishing to GPR) are separate topics.

However, they both seem to have the same symptom, which is that the Action doesn’t seem to apply the correct credentials for the publishing (from npm secrets), and/or Actions is not properly using the “registry” setting from the Action. In some cases you can “hack” around this problem by just forcing your own .npmrc, but that’s both a hack and runs contrary to the published documentation for this Action, so it shouldn’t be “the solution”.

In my case, since my project already has a npmrc in it, to redirect the initial publish to GPR in the first place, I do not think it’s a suitable solution to somehow hack or override that npmrc during the Action to then redirect to npm.

This is a blocker for me to using Github Actions. I would really appreciate some more info on it.

OK, I think I have finally cracked this problem.

I updated my workflow action YAML to have this npm-publish:

npm publish --@getify:registry=https://registry.npmjs.org/

That flag has the effect of overriding what’s in the local .npmrc that redirected the original publish to GPR, so that actions can now publish to regular npm.

I think because this is a scoped package, adding the scope parameter should do the trick. So:

name: Publish to npm
on: registry_package
jobs:
  publish-npm:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: actions/setup-node@v1
        with:
          node-version: 12
          registry-url: https://registry.npmjs.org/
          scope: getify
      - run: npm install && npm publish
        env:
          NODE_AUTH_TOKEN: ${{secrets.npm_token}}

I’m not 100% sure how this will interact with a repo that has a .npmrc file already, but I think it should be fine

I found the solution for this @getify You basically need to publish your package as private

I doubt others will be in such a specific situation as I was, especially given now that github owns npm and will probably more closely integrate the two. I expect eventually this is a non-issue. Closing for now.

Not sure if this helps, I was also running into this… I was just missing the @org-name from the name. Also, the publishConfig is the alternative to using the .npmrc; which I understand you don’t want to do.

So your package.json would look like this:

  "name": "@org-name/package-name",
  "version": "1.0.0",
  "publishConfig": {
    "registry": "https://npm.pkg.github.com/"
  },
  "repository": {
    "type": "git",
    "url": "git://github.com/org-name/repository-name.git"
  }
}

https://help.github.com/en/github/managing-packages-with-github-package-registry/configuring-npm-for-use-with-github-package-registry#configuring-a-package-scope-using-a-local-npmrc

Only add repository if I want to have the package name to be different from repo.

Hope that helps.

I didn’t try npm config commands – interesting idea – but I did essentially configure npm via command-line flags, as mentioned in this comment: https://github.com/actions/setup-node/issues/52#issuecomment-536544414

Yeah, I see the difference now that you mention that @getify.

To clarify, my current situation is just trying to publish to GPR at all, which has proven to be unsuccessful out of the gates. I’ll stay subscribed to the thread but our approaches seem to be different enough that it might warrant a separate issue entirely.

Not sure that this adds much to the conversation but through the grapevine of (limit) google results and community searching, this has turned into a show-stopper for using Actions and GPR.

I’m getting the exact same errors as described above.

npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"

Repo in question is https://github.com/paquette/react-components

Using the CLI I can publish to GPR no problem, but the authentication fails with Actions – even though the process is nearly identical and as far as I can tell it’s hooked up as documentation suggests.

The failing PR (and their associated checks) can be found in this PR https://github.com/paquette/react-components/pull/7

According to the examples provided for this repo for publishing to npm, presumably the with: registry_url: .. is supposed to be taking the place of a local npmrc, and I would also assume the NODE_AUTH_TOKEN environment variable is either something that this action uses or that the npm client itself uses.

The approach of echoing out an npmrc is not only hacky but also seems a bit dangerous given that we already have to have an npmrc in the repo to publish to GPR in the first place, which means effectively this echo is overwriting the file just before publish.

I am really not a pro, but it seems you are trying to publish to github packages, and in your .npmrc you have :

registry=https://registry.npmjs.org/
...

Could this be the problem ?

Hi All, I have another solution. Only the package.json registry would work, and the bash registry setting doesn’t work on GPR publishing! So I copied the registry on package.json right before publishing! May you look at this gist please! 🙃

@phillmac - can create a separate issue for your failure. I think I may know it is and looks to be different than the issue from @getify - I’ll follow up on that issue

This npm parameter can force the CLI tool to use a specific .npmrc file, so I think that’s the best fix here:

https://docs.npmjs.com/misc/config#userconfig

The sticky part is, I could do that manually in my npm publish command, but then I’m hard-coding a specific path that I don’t control (decided by this setup-node script), which means if this script sometime later decides to put the .npmrc in a different location, my builds start breaking.

So perhaps setup-node could create a .npmrc file in a location, and export whatever path that is as another environment variable, like NPMRC_PATH, and then my script could say:

npm --userconfig='$NPMRC_PATH' publish

I think that would fix the issue here in the most reasonable way.

Perhaps setup-node should not be relying on an npmrc for this config, and should instead inject the --registry=.. parameter (along with a shell reference to the NODE_AUTH_TOKEN env variable) into my npm install command?

I have the same problem trying to publish a package to private gemfury - the secrets/NODE_AUTH_TOKEN environment variable is not working correctly. I suspect its being overwritten with XXXXX-XXXXX-XXXXX-XXXXX but its hard to debug

https://github.com/actions/setup-node/blob/master/src/authutil.ts

adding these run commands to publish-npm helps a little

• run: printenv
• run: cat /home/runner/work/_temp/.npmrc