Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Package visibility fails on GH packages with provenance #6436

Closed
2 tasks done
feelepxyz opened this issue May 9, 2023 · 0 comments · Fixed by #6437
Closed
2 tasks done

[BUG] Package visibility fails on GH packages with provenance #6436

feelepxyz opened this issue May 9, 2023 · 0 comments · Fixed by #6437
Labels
Bug thing that needs fixing Priority 2 secondary priority issue Release 9.x work is associated with a specific npm 9 release

Comments

@feelepxyz
Copy link
Contributor

feelepxyz commented May 9, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

When publishing with --provenance to Github Package registry, and the package does not already exist (ie first version being published), the publish call will fail with the following error:

npm notice Publishing to https://npm.pkg.github.com/ with tag latest and default access
npm ERR! code E404
npm ERR! 404 Not Found - GET https://npm.pkg.github.com/-/package/@feelepxyz/test-dependabot/visibility
npm ERR! 404 
npm ERR! 404  '@feelepxyz/[email protected]' is not in this registry.

Expected Behavior

Publish should work and --provenance ignored as it is on the subsequent publish when the version already exists.

Its failing at this line: https://github.com/npm/cli/blob/bdab631b9847013dc4e8d4083669acf6c7bfb457/workspaces/libnpmpublish/lib/publish.js#LL181C86-L181C86

Presumably we just need to catch 404s and ignore them?

Steps To Reproduce

Publish to GH packages with provenance

name: Publish Package to npmjs
on: workflow_dispatch
jobs:
 build:
   runs-on: ubuntu-latest
   permissions:
     contents: read
     id-token: write
   steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-node@v3
       with:
         node-version: '18.x'
         registry-url: 'https://npm.pkg.github.com'
         scope: '@feelepxyz'
     - run: npm install -g npm
     - run: npm ci
     - run: cat .npmrc
     - run: npm publish --provenance --access public
       env:
         NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

Environment

  • npm: 9.6.6
  • Node.js: 18.x
  • OS Name: Ubuntu
  • System Model Name: GitHub Actions hosted runner
  • npm config:
; "user" config from /home/runner/work/_temp/.npmrc

@feelepxyz:registry = "https://npm.pkg.github.com/" 
; //npm.pkg.github.com/:_authToken = (protected) ; overridden by project
always-auth = false 

; "project" config from /home/runner/work/test-dependabot/test-dependabot/.npmrc

//npm.pkg.github.com/:_authToken = (protected) 

; "env" config from environment

userconfig = "/home/runner/work/_temp/.npmrc" 

; node bin location = /opt/hostedtoolcache/node/18.[16](https://github.com/feelepxyz/test-dependabot/actions/runs/4925568179/jobs/8799950109#step:6:17).0/x64/bin/node
; node version = v[18](https://github.com/feelepxyz/test-dependabot/actions/runs/4925568179/jobs/8799950109#step:6:19).16.0
; npm local prefix = /home/runner/work/test-dependabot/test-dependabot
; npm version = 9.6.6
; cwd = /home/runner/work/test-dependabot/test-dependabot
; HOME = /home/runner
; Run `npm config ls -l` to show all defaults.

; "publishConfig" from /home/runner/work/test-dependabot/test-dependabot/package.json
; This set of config values will be used at publish-time.

provenance = true
registry = "https://npm.pkg.github.com/"
@feelepxyz feelepxyz added Bug thing that needs fixing Needs Triage needs review for next steps Release 9.x work is associated with a specific npm 9 release labels May 9, 2023
@wraithgar wraithgar added Priority 2 secondary priority issue and removed Needs Triage needs review for next steps labels May 9, 2023
@feelepxyz feelepxyz mentioned this issue May 9, 2023
Merged
wraithgar pushed a commit that referenced this issue May 10, 2023
@feelepxyz
fix: Update publish /w provenance to ignore pkg vis 404 (#6437)
f064696 
Some registries (e.g. GH packages) require auth to check visibility,
and always return 404 when no auth is supplied. In this case we assume
the package is always private and require `--access public` to publish.

I've also updated this to only perform a visibility check when this is
actually needed (i.e. when `provenance` is true and `access` is not `public`).

Fixes #6436
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Priority 2 secondary priority issue Release 9.x work is associated with a specific npm 9 release
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Update publish /w provenance to ignore pkg vis 404
2 participants
@feelepxyz @wraithgar