Bug: semantic-release doesn't work with npm automation tokens.

[ryan-roemer]

We have 2fa for auth-and-writes and use an automation token for best practices. But semantic-release doesn't support this yet:

• Upstream issue: https://github.com/semantic-release/npm/issues/277
• Example failed publish build: https://github.com/FormidableLabs/dogs/runs/1289482234?check_suite_focus=true

Tasks

We've bandaided over this with lower npm privileges and different access tokens.

• [ ] Track https://github.com/semantic-release/npm/issues/277 and then update this project as follows:
• [ ] Replace NPM_TOKEN secret with 1password IC vault field GitHub Actions CI/CD Publish Token -- Automation (NPM_TOKEN). (We're currently using GitHub Actions CI/CD Publish Token -- Publish (NPM_TOKEN)
• [ ] In npm as superadmin (probably @ryan-roemer ) switch https://www.npmjs.com/package/@formidable/dogs/access from Two-factor authentication is not required to Require two-factor authentication or automation tokens.
• [ ] In npm account for dogs-ci, switch 2fa from auth only to auth and publishing.

[ryan-roemer]

Passes dry-run but fails with: https://github.com/FormidableLabs/dogs/runs/1289694860?check_suite_focus=true

[11:27:50 PM] [semantic-release] › ✖  An error occurred while running semantic-release: Error: Command failed with exit code 1: npm publish /home/runner/work/dogs/dogs --userconfig /tmp/b10c224299af95c3c26e706f8c3afb55/.npmrc --tag latest --registry https://registry.npmjs.org/
npm notice 
npm notice 📦  @formidable/dogs@1.1.0
npm notice === Tarball Contents === 
npm notice 1.1kB  LICENSE        
npm notice 13.8kB dist/index.js  
npm notice 1.1kB  package.json   
npm notice 3.3kB  README.md      
npm notice 194B   dist/index.d.ts
npm notice === Tarball Details === 
npm notice name:          @formidable/dogs                        
npm notice version:       1.1.0                                   
npm notice package size:  6.8 kB                                  
npm notice unpacked size: 19.4 kB                                 
npm notice shasum:        54444900442c750e2ea69c708ceb011904d68bab
npm notice integrity:     sha512-/U6uel7pod136[...]YWKwzfS4VMvQw==
npm notice total files:   5                                       
npm notice 
npm ERR! code EOTP
npm ERR! This operation requires a one-time password from your authenticator.
npm ERR! You can provide a one-time password by passing --otp=<code> to the command you ran.
npm ERR! If you already provided a one-time password then it is likely that you either typoed
npm ERR! it, or it timed out. Please try again.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/runner/.npm/_logs/2020-10-21T23_27_50_211Z-debug.log

[ryan-roemer]

Interesting:

$ NPM_TOKEN=<SNIPPED> npm publish

from my laptop does indeed fail even though it's auth-only account + token. Will investigate more and publish the failed publish from my laptop before doing another automation fix.

[ryan-roemer]

Ah -- it was a setting I did and forgot on the package itself to require 2fa!

Manually published @formidable/dogs@1.1.0 and existing publish token should now work for future commits. (We're still in bandaid mode, but our next GH action should actually publish...)

[robwalkerco]

Can confirm that the Publish ci action worked successfully - https://github.com/FormidableLabs/dogs/runs/4407344896?check_suite_focus=true

Version 1.2.0 on npm

[ryan-roemer]

Hi @robwalkerco -- I don't think this is actually implemented as we haven't enabled 2fa for this project in npm and we're using a normal publish token, not an npm "automation" token (which means we update our secrets).