4

I'm using some github action to release one of my package in a mono repo, holding about 4-5 package likes:

github-repository (monorepo):
- folder_1 (package 1)
- folder_2 (package 2)
- folder_3 (package 3)

For each packages located in this monorepo, when a tag matching a version is released, the action will release it, using a workflow (almost identical for all packages):

name: package 1
on:
  push:
    tags:
      - package1/v*

permissions:
  contents: read
  packages: write

jobs:
  release:
    name: Release
    runs-on: ubuntu-22.12
    defaults:
      run:
        working-directory: folder_1

    steps:
      - name: Checkout source code
        uses: actions/checkout@ab597985615ec2ede58e132d2621d2b1cbd6127c

      - name: Set up Node
        uses: .github/actions/secure-setup-node
        with:
          path: folder_1

      - name: install dependencies
        run: yarn --frozen-lockfile
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: build package
        run: yarn build

      - name: add package.json
        run: cp package.json ./dist

      - name: add yarn.lock
        run: cp yarn.lock ./dist

      - name: add README.md
        run: cp README.md ./dist

      - run: yarn publish ./dist
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

each packages have their own action's workflow .yaml and works fine, except for the new package I just created: package 4 (located in github-repository/folder_4).

it's a basic package except it only holds config files, so it's yarn build script will only copy theses file in the ./dist folder, without implying node or javascript, making it's workflow looking like:

name: Config Release
on:
  push:
    tags:
      - package4/v*

permissions:
  contents: read
  packages: write

jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: folder_4

    steps:
      - name: Checkout source code
        uses: actions/checkout@a55da8c3cf115ac326823e79a1e1788f7940201b

      - name: build package
        run: yarn build

      - run: yarn publish ./dist
        env:
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

But here goes the issue ! running this action will result by:

Run yarn publish ./dist
yarn publish v1.22.19
[1/4] Bumping version...
info Current version: 1.0.0
[2/4] Logging in...
error No token found and can't prompt for login when running with --non-interactive.
info Visit https://yarnpkg.com/en/docs/cli/publish for documentation about this command.
Error: Process completed with exit code 1.

I checked a lot of documentation or github issues about this matter and managed to fix my problem, by replacing NODE_AUTH_TOKEN by NPM_AUTH_TOKEN, but why did it solved it when all my previous packages are still using NODE_AUTH_TOKEN ? is it because I'm not using setup-node ? (I don't use it because I'm not using node to build my javascript), because I don't have yarn.lock ? (even an empty one),

What's the difference about these 2 ? in this issue someone told that:

NPM_AUTH_TOKEN work for npm registry

NODE_AUTH_TOKEN work for scope registry

what does it mean ?

Paul-Marie
  • 874
  • 1
  • 6
  • 24
  • Do you have `.npmrc` and/or `.yarnrc`? What do your `package.json` files look like? These articles [https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages](https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages) and [Working with the npm registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry) explain all these things in detail. Also, see these official docs for [scoped packages](https://docs.npmjs.com/cli/v9/using-npm/scope). – Azeem Mar 26 '23 at 09:00
  • @Azeem I'm pleased to have an answer, but my `package.json` is barely empty (no dependencies / devDependencies, only repository, author, name, version, license and "build" scripts), and I don't have any `.npmrc` / `.yarnrc`. It's not a deploy issues, I already deployed over 200 release on other packages with the exact same config file, it's just for this project, and I managed to solve the problem, it's just I don't understand the difference between `NODE_AUTH_TOKEN` and `NPM_AUTH_TOKEN` – Paul-Marie Mar 27 '23 at 07:36
  • Thank you! Right. I spent quite some time yesterday to find something concrete on it but unfortunately could not. Regarding scoped package, it depends on the `name` field of your package. You can verify it on your side. Apart from that, I suspected that you might have configured the token variable in the `.npmrc` or `.yarnrc` like that i.e. `NPM_AUTH_TOKEN` and that's why it didn't work with `NODE_AUTH_TOKEN`; but, you don't have these files. `NODE_AUTH_TOKEN` seems to be working with `npm` but you're using `yarn`. – Azeem Mar 27 '23 at 08:04
  • I stumbled upon a GitHub thread where the precedence of `.npmrc` and `.yarnrc` was discussed for `yarn`. But, you don't use either of those. Not sure why it's even working with `NPM_AUTH_TOKEN`. :-) If you could create a sample repo replicating your use case, I'll try to test that on my side to figure this out in detail. – Azeem Mar 27 '23 at 08:07
  • I suspect it's because I don't use [secure-setup-node](https://github.com/actions/setup-node/blob/main/docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-npm) script for this peculiar package, and I guess it automatically add this env variable :/ – Paul-Marie Mar 27 '23 at 12:49
  • Yes, `setup-node` creates a `.npmrc` and internally it uses it. See https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages#about-package-configuration. – Azeem Mar 27 '23 at 12:52

1 Answers1

5

NPM_AUTH_TOKEN is a token generated in NPM. You then put that in your GitHub secrets on GitHub so it can be passed to an action. You shouldn't put the token in your workflow file. You use it with a "Publish to NPM" GitHub Action. For example in this file .github/workflows/npm-publish.yml:

jobs:
  npm-publish:
    ...
    steps:
      ...
      env:
        NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}

The NODE_AUTH_TOKEN is an environment variable with your NPM_TOKEN secret. Ultimately this is used to publish Node.js packages in a continuous integration (CI) workflow.

jobs:
  build:
    ...
    steps:
      ...
      env:
        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

The setup-node action creates your .npmrc file and references your NODE_AUTH_TOKEN environment variable:

//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}

Make sure to set registry-url to https://registry.npmjs.org/ in setup-node.

There is a walk through for setting up the CI publishing here.

James Risner
  • 5,451
  • 11
  • 25
  • 47