fix(release): drop setup-node registry-url so OIDC npm info read isn't poisoned#44
Open
prosdev wants to merge 1 commit into
Open
fix(release): drop setup-node registry-url so OIDC npm info read isn't poisoned#44prosdev wants to merge 1 commit into
prosdev wants to merge 1 commit into
Conversation
…t poisoned ## Symptom After the pnpm 10 fix, `changeset publish` still fails: it reports every already-published package (dev-agent, kero) as "has not been published on npm", tries to republish, and npm 11 rejects with "cannot publish over the previously published versions". dev-agent published once (new version) then every subsequent run is red. ## Root cause (grounded) 1. `changeset publish` runs `npm info <pkg> --json` to detect existing versions. npm's `--json` writes errors to stderr and leaves stdout EMPTY on any non-200 (npm/cli#5286, #5444). changesets treats empty stdout as E404 -> "not published" (intentional, for GitHub Packages — changesets#1098), so it tries to republish. 2. `actions/setup-node` with `registry-url` writes an .npmrc line `//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}` (setup-node authutil.ts). Under OIDC there is no real token, so the `npm info` READ carries a bad/placeholder token -> 401 -> empty stdout -> false "unpublished". The PUBLISH still works because npm uses a separate OIDC token-exchange endpoint — hence the read-fails-but-publish-succeeds asymmetry. 3. Why it surfaced now: npm 11 added eager preflight rejection of "cannot publish over the previously published version" (npm commit 31455b2, referenced in changesets' own source). Older npm was lax; `npm install -g npm@latest` drifting to npm 11 exposed the latent read bug. ## Fix Remove `registry-url` from setup-node. With no auth .npmrc, the pre-publish `npm info` read goes out anonymously -> 200 -> changesets sees the real published versions and correctly SKIPS them. OIDC trusted publishing is unaffected: npm handles publish auth via its token-exchange endpoint, and publishConfig.registry (added earlier) targets npmjs.org. This is the canonical documented OIDC-only setup (npm trusted-publishing docs; changesets/action >=1.7.0 writes its own OIDC-clean .npmrc). Also adds a temporary non-fatal "Diagnose npm info read" step that prints whether the read returns data, to confirm the fix on the next run. Remove once green. Refs: npm/cli#5286, #8678, #8976; changesets#1098; pnpm#11526; actions/setup-node#1440; changesets/action#545. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The real root cause (grounded in source, backed by 4 research passes)
After #42 (pnpm 10) and #43 (publishConfig registry), the Release job still failed — reporting both
@prosdevlab/dev-agentand@prosdevlab/keroas "has not been published on npm", retrying, and hittingcannot publish over the previously published versions. #43 was a misdiagnosis (registry routing); it changed nothing. Here is the verified chain:changeset publishrunsnpm info <pkg> --jsonto detect existing versions.--jsonwrites errors to stderr and leaves stdout EMPTY on any non-200 — npm/cli#5286, #5444.E404→ "not published" (intentional, for GitHub Packages — changesets#1098) → tries to republish.actions/setup-nodewithregistry-urlwrites.npmrc://registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}(setup-node authutil.ts / #1440). Under OIDC there's no real token, so thenpm inforead carries a bad/placeholder token → 401 → empty stdout → false "unpublished". The publish still works because npm uses a separate OIDC token-exchange endpoint — exactly the read-fails-but-publish-succeeds asymmetry we observed.cannot publish over the previously published version(npm commit31455b2, referenced in changesets' own source). Older npm was lax;npm install -g npm@latestdrifting to npm 11 exposed the latent read bug. Same changesets2.29.7that worked in April fails now.Fix
Remove
registry-urlfromactions/setup-node. With no auth.npmrc, the pre-publishnpm inforead goes out anonymously → 200 → changesets sees the real versions and SKIPS already-published packages. This is the canonical documented OIDC-only setup (npm trusted-publishing docs;changesets/action ≥1.7.0writes its own OIDC-clean.npmrc— #545).OIDC trusted publishing is unaffected — npm handles publish auth via token-exchange, and
publishConfig.registry(from #43) targets npmjs.org.@prosdevlab/dev-agent@0.13.0already publishing proves the OIDC publish path works.Also adds a temporary non-fatal
Diagnose npm info readstep that prints whether the read returns data — so the next run proves the fix (or reveals anything else). Remove once green.Verification
registry-urlgone, diagnosticcontinue-on-error: true).repositoryfields; noNODE_AUTH_TOKEN/NPM_TOKENset;changesets/action@v1resolves to 1.9.0 (≥1.7.0).npm infomechanism was confirmed by reading the installed@changesets/cli@2.31.0source (empty-stdout → synthetic E404 →versions=[]→!includes(localVersion)→ republish).Expected result
Next
mainpush: the diagnostic printsREAD ... -> OK, latest=...for both packages;changeset publishfinds them already published, publishes nothing, and the Release job goes green.Note on #43
#43 (publishConfig registry pin) is harmless and complementary (it keeps the publish target explicit) but was not the fix. Keeping it.
Refs: npm/cli#5286, #8678, #8976; changesets#1098; pnpm#11526; actions/setup-node#1440; changesets/action#545.
🤖 Generated with Claude Code