Skip to content

fix(release): drop setup-node registry-url so OIDC npm info read isn't poisoned#44

Open
prosdev wants to merge 1 commit into
mainfrom
fix/release-oidc-npm-info-auth
Open

fix(release): drop setup-node registry-url so OIDC npm info read isn't poisoned#44
prosdev wants to merge 1 commit into
mainfrom
fix/release-oidc-npm-info-auth

Conversation

@prosdev

@prosdev prosdev commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

The real root cause (grounded in source, backed by 4 research passes)

After #42 (pnpm 10) and #43 (publishConfig registry), the Release job still failed — reporting both @prosdevlab/dev-agent and @prosdevlab/kero as "has not been published on npm", retrying, and hitting cannot publish over the previously published versions. #43 was a misdiagnosis (registry routing); it changed nothing. Here is the verified chain:

  1. changeset publish runs npm info <pkg> --json to detect existing versions.
  2. npm --json writes errors to stderr and leaves stdout EMPTY on any non-200npm/cli#5286, #5444.
  3. changesets treats empty stdout as E404 → "not published" (intentional, for GitHub Packages — changesets#1098) → tries to republish.
  4. actions/setup-node with registry-url writes .npmrc: //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN} (setup-node authutil.ts / #1440). Under OIDC there's no real token, so the npm info read carries a bad/placeholder token → 401 → empty stdout → false "unpublished". The publish still works because npm uses a separate OIDC token-exchange endpoint — exactly the read-fails-but-publish-succeeds asymmetry we observed.
  5. Why it surfaced now (answers "it worked before"): npm 11 added eager preflight rejection of cannot publish over the previously published version (npm commit 31455b2, referenced in changesets' own source). Older npm was lax; npm install -g npm@latest drifting to npm 11 exposed the latent read bug. Same changesets 2.29.7 that worked in April fails now.

Fix

Remove registry-url from actions/setup-node. With no auth .npmrc, the pre-publish npm info read goes out anonymously → 200 → changesets sees the real versions and SKIPS already-published packages. This is the canonical documented OIDC-only setup (npm trusted-publishing docs; changesets/action ≥1.7.0 writes its own OIDC-clean .npmrc#545).

OIDC trusted publishing is unaffected — npm handles publish auth via token-exchange, and publishConfig.registry (from #43) targets npmjs.org. @prosdevlab/dev-agent@0.13.0 already publishing proves the OIDC publish path works.

Also adds a temporary non-fatal Diagnose npm info read step that prints whether the read returns data — so the next run proves the fix (or reveals anything else). Remove once green.

Verification

  • Typecheck passes; workflow YAML validated (registry-url gone, diagnostic continue-on-error: true).
  • Repo is public (provenance OK); both packages have repository fields; no NODE_AUTH_TOKEN/NPM_TOKEN set; changesets/action@v1 resolves to 1.9.0 (≥1.7.0).
  • The npm info mechanism was confirmed by reading the installed @changesets/cli@2.31.0 source (empty-stdout → synthetic E404 → versions=[]!includes(localVersion) → republish).

Expected result

Next main push: the diagnostic prints READ ... -> OK, latest=... for both packages; changeset publish finds them already published, publishes nothing, and the Release job goes green.

Note on #43

#43 (publishConfig registry pin) is harmless and complementary (it keeps the publish target explicit) but was not the fix. Keeping it.

Refs: npm/cli#5286, #8678, #8976; changesets#1098; pnpm#11526; actions/setup-node#1440; changesets/action#545.

🤖 Generated with Claude Code

…t poisoned

## Symptom
After the pnpm 10 fix, `changeset publish` still fails: it reports every
already-published package (dev-agent, kero) as "has not been published on
npm", tries to republish, and npm 11 rejects with "cannot publish over the
previously published versions". dev-agent published once (new version) then
every subsequent run is red.

## Root cause (grounded)
1. `changeset publish` runs `npm info <pkg> --json` to detect existing
   versions. npm's `--json` writes errors to stderr and leaves stdout EMPTY
   on any non-200 (npm/cli#5286, #5444). changesets treats empty stdout as
   E404 -> "not published" (intentional, for GitHub Packages — changesets#1098),
   so it tries to republish.
2. `actions/setup-node` with `registry-url` writes an .npmrc line
   `//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}` (setup-node authutil.ts).
   Under OIDC there is no real token, so the `npm info` READ carries a
   bad/placeholder token -> 401 -> empty stdout -> false "unpublished".
   The PUBLISH still works because npm uses a separate OIDC token-exchange
   endpoint — hence the read-fails-but-publish-succeeds asymmetry.
3. Why it surfaced now: npm 11 added eager preflight rejection of
   "cannot publish over the previously published version" (npm commit
   31455b2, referenced in changesets' own source). Older npm was lax;
   `npm install -g npm@latest` drifting to npm 11 exposed the latent read bug.

## Fix
Remove `registry-url` from setup-node. With no auth .npmrc, the pre-publish
`npm info` read goes out anonymously -> 200 -> changesets sees the real
published versions and correctly SKIPS them. OIDC trusted publishing is
unaffected: npm handles publish auth via its token-exchange endpoint, and
publishConfig.registry (added earlier) targets npmjs.org. This is the
canonical documented OIDC-only setup (npm trusted-publishing docs;
changesets/action >=1.7.0 writes its own OIDC-clean .npmrc).

Also adds a temporary non-fatal "Diagnose npm info read" step that prints
whether the read returns data, to confirm the fix on the next run. Remove
once green.

Refs: npm/cli#5286, #8678, #8976; changesets#1098; pnpm#11526;
actions/setup-node#1440; changesets/action#545.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant