publishing to npm fails after publishing to GPR

[getify]

I have a workflow like this that's supposed to publish to npm once I publish to GPR:

name: Publish to npm
on: registry_package
jobs:
  publish-npm:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: actions/setup-node@v1
        with:
          node-version: 12
          registry-url: https://registry.npmjs.org/
      - run: npm install && npm publish
        env:
          NODE_AUTH_TOKEN: ${{secrets.npm_token}}

I have the npm_token secret added to this repository.

When I just published to GPR, it kicked off this workflow job, but it failed at the last step of publishing to npm. The error was from npm saying:

npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"

What does this error mean, and how do I fix it? I don't see anything about setting "basic realm" in the recipes for this setup-node action.

[damccorm]

One thing I notice off the bat is that your registry url is for npm (https://registry.npmjs.org/) not GitHub (https://npm.pkg.github.com) which means your auth will be set for npm as well. Could you try changing that and see if it fixes it?

[getify]

I am trying to publish from GPR to npm, that's why the URL and token are for npm.

[nkzawa]

I also had the same issue, and fixed by creating ~/.npmrc like:

- run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_AUTH_TOKEN }}" > ~/.npmrc
- run: npm publish

[getify]

According to the examples provided for this repo for publishing to npm, presumably the with: registry_url: .. is supposed to be taking the place of a local npmrc, and I would also assume the NODE_AUTH_TOKEN environment variable is either something that this action uses or that the npm client itself uses.

The approach of echoing out an npmrc is not only hacky but also seems a bit dangerous given that we already have to have an npmrc in the repo to publish to GPR in the first place, which means effectively this echo is overwriting the file just before publish.

[damccorm]

Sorry, misunderstood - any chance you can share your package.json file? Also, are you able to publish to npm locally with that package.json file?

[getify]

Yes I have been publishing to npm directly (by just commenting out the line in my npmrc that directs the publish to GPR) each time that the github action has failed.

Here's the repo (with the package.json): https://github.com/getify/revocable-queue

[damccorm]

I think because this is a scoped package, adding the scope parameter should do the trick. So:

name: Publish to npm
on: registry_package
jobs:
  publish-npm:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: actions/setup-node@v1
        with:
          node-version: 12
          registry-url: https://registry.npmjs.org/
          scope: getify
      - run: npm install && npm publish
        env:
          NODE_AUTH_TOKEN: ${{secrets.npm_token}}

I'm not 100% sure how this will interact with a repo that has a .npmrc file already, but I think it should be fine

[getify]

I just made the change and bumped the version to 3.0.4 to retry... failed with the same error:

npm notice 4.7kB  test.js             
npm notice 853B   package.json        
npm notice 16.7kB README.md           
npm notice 109B   copyright-header.txt
npm notice 1.1kB  LICENSE.txt         
npm notice === Tarball Details === 
npm notice name:          @getify/revocable-queue                 
npm notice version:       3.0.4                                   
npm notice package size:  11.3 kB                                 
npm notice unpacked size: 33.9 kB                                 
npm notice shasum:        ea43f55fddddb1605129124fdba8b89bf4e1da15
npm notice integrity:     sha512-Jvgdlz8eA02eN[...]ThmfISW3BAXYA==
npm notice total files:   11                                      
npm notice 
npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/runner/.npm/_logs/2019-09-04T19_56_58_223Z-debug.log

I don't think I have access to that npm debug log, so I can't see anything about why the authentication is failing. :/

[getify]

@damccorm ping

[mpwis]

I have the same problem trying to publish a package to private gemfury - the secrets/NODE_AUTH_TOKEN environment variable is not working correctly. I suspect its being overwritten with XXXXX-XXXXX-XXXXX-XXXXX but its hard to debug

https://github.com/actions/setup-node/blob/master/src/authutil.ts

adding these run commands to publish-npm helps a little

• run: printenv
  • run: cat /home/runner/work/_temp/.npmrc

[getify]

@mpwis nice find!

BTW, specifically I think it's this line that could be the problem: https://github.com/actions/setup-node/blob/master/src/authutil.ts#L57

[getify]

This is a blocker for me to using Github Actions. I would really appreciate some more info on it.

[pqt]

Not sure that this adds much to the conversation but through the grapevine of (limit) google results and community searching, this has turned into a show-stopper for using Actions and GPR.

I'm getting the exact same errors as described above.

npm ERR! code E401
npm ERR! Unable to authenticate, need: Basic realm="GitHub Package Registry"

Repo in question is https://github.com/paquette/react-components

Using the CLI I can publish to GPR no problem, but the authentication fails with Actions -- even though the process is nearly identical and as far as I can tell it's hooked up as documentation suggests.

The failing PR (and their associated checks) can be found in this PR https://github.com/paquette/react-components/pull/7

[tjanson]

@pqt Just to be clear: You’re talking about publishing to GitHub Package Registry only (not the npmjs.org registry)? Because I’ve got that working from within GitHub Actions, with this .npmrc

registry=https://registry.npmjs.org/
@tjanson:registry=https://npm.pkg.github.com/
//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}

In the workflow config, I don’t use any with: arguments for the Node setup (except node-version: '10.x'), and I set a personal access token (as secret) for the NODE_AUTH_TOKEN env var (I think the GITHUB_TOKEN would also work).

Is that what you’re trying to accomplish or am I totally misunderstanding you?

PS: That .npmrc is in the repo root, not at ~/.npmrc. Simply commited that file.

[pqt]

Nope you've got it correct @tjanson, the GITHUB_TOKEN doesn't seem to work, so I've cleared all reference to GPR publishing, and now going to be taking another stab at it with an NPM PAT.

Going to test what you've got though because it's already considerably more elegant than my 3 different locations of configurations.

Gotta sweet case of the GIT mondays going on. (Note the check failure 😂)

[getify]

Publishing to GPR from Actions (what @pqt seems to be doing) and publishing to NPM from Actions (which, in my case, is triggered after first publishing to GPR) are separate topics.

However, they both seem to have the same symptom, which is that the Action doesn't seem to apply the correct credentials for the publishing (from npm secrets), and/or Actions is not properly using the "registry" setting from the Action. In some cases you can "hack" around this problem by just forcing your own .npmrc, but that's both a hack and runs contrary to the published documentation for this Action, so it shouldn't be "the solution".

In my case, since my project already has a npmrc in it, to redirect the initial publish to GPR in the first place, I do not think it's a suitable solution to somehow hack or override that npmrc during the Action to then redirect to npm.

[pqt]

Yeah, I see the difference now that you mention that @getify.

To clarify, my current situation is just trying to publish to GPR at all, which has proven to be unsuccessful out of the gates. I'll stay subscribed to the thread but our approaches seem to be different enough that it might warrant a separate issue entirely.

[negebauer]

@getify even in you're running setup-node pointing to the npm registry you still have a .npmrc file in you repo, which point to GPR. This might explain why it's failing with an error about GPR auth, even though you're trying to publish to NPM. Can you try deleting the local .npmrc?

name: Publish to npm
on: registry_package
jobs:
  publish-npm:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: actions/setup-node@v1
        with:
          node-version: 12
          registry-url: https://registry.npmjs.org/
          scope: getify
      - run: rm .npmrc && npm install && npm publish
        env:
          NODE_AUTH_TOKEN: ${{secrets.npm_token}}

[getify]

As I said up-thread, overwriting (or, as you suggest, deleting) the .npmrc that's in the package is an ugly hack that I don't accept as a proper solution. I am expecting that setup-node figure out how to override my local .npmrc with the .npmrc they're generating, or otherwise redirect the npm publish command to force it to use the generated .npmrc, perhaps in the form of some parameter passed to the npm commands or something like that.

GPR requires you to have a .npmrc so that you can publish to GPR using the npm CLI tool. That's the only reason I have a .npmrc in the first place. Since I'm supposed to be able to publish from my command line to GPR, and then have that trigger Actions to publish to npm for me -- the main and indeed only use-case I have for Actions right now -- there needs to be a proper fix for how this setup-node handles the .npmrc files. I shouldn't have to "work around it"; this is supposed to be a first-class supported use-case.

[getify]

Perhaps setup-node should not be relying on an npmrc for this config, and should instead inject the --registry=.. parameter (along with a shell reference to the NODE_AUTH_TOKEN env variable) into my npm install command?

[domoritz]

I have a similar issue.

My action looks something like this:

name: Release

on:
  release:
    types: [published]

jobs:
  release:
    runs-on: ubuntu-latest

    name: Release

    steps:
      - uses: actions/checkout@master
        with:
          fetch-depth: 1

      - name: Install Node dependencies
        run: yarn --frozen-lockfile

      - name: Build
        run: yarn build

      - name: Publish to NPM registry
        run: npm publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

I am getting this error

npm ERR! code E401
npm ERR! 401 Unauthorized - PUT https://registry.npmjs.org/vega-lite - You must be logged in to publish packages.

More details: https://github.com/vega/vega-lite/runs/238298497

[getify]

This npm parameter can force the CLI tool to use a specific .npmrc file, so I think that's the best fix here:

https://docs.npmjs.com/misc/config#userconfig

The sticky part is, I could do that manually in my npm publish command, but then I'm hard-coding a specific path that I don't control (decided by this setup-node script), which means if this script sometime later decides to put the .npmrc in a different location, my builds start breaking.

So perhaps setup-node could create a .npmrc file in a location, and export whatever path that is as another environment variable, like NPMRC_PATH, and then my script could say:

npm --userconfig='$NPMRC_PATH' publish

I think that would fix the issue here in the most reasonable way.

[getify]

Just an update, I have tried manually adding the --userconfig="/home/runner/work/_temp/.npmrc" flag onto my npm publish command, but it still failed. In some local testing, I'm believe I've concluded that the npm client doesn't actually respect this flag like it should. :/

I will probably report this is as a bug to npm.

Edit: I'm not positive this is a bug. It might be that npm is indeed using the specified npmrc (the one generated by setup-node) but ALSO using what it finds in my local .npmrc, which sets the @getify namespace to the GPR registry URL.

So if that's true, this may either be an issue where the generated .npmrc needs to include my namespace override to point to npm's URL... or it may be that there's a precedence issue, where npm is using the local npmrc in preference over configs it finds elsewhere. If the latter is true, this might not be a fixable problem after all. :/

Edit 2: I am sure now that npm is in fact using the file that I'm specifying with --userconfig=... So that's good. But the bad news is, npm seems to still use the local .npmrc, and worse it seems to use that one last, after the specified one, so the local setting is still winning, causing the error. I don't see any way to get around this using an .npmrc. :/

Edit 3: For clarification, I am 99% sure where the authentication error is coming from now. It's because my local .npmrc says: @getify:registry=https://npm.pkg.github.com/, which is required to redirect the npm client to publish to GPR. When the action tries to run npm publish, it's seeing that from the local .npmrc which means the action is trying to publish back to GPR instead of to npm, but it's trying to use the npm auth-token. Thus, the auth failure.

I can't figure out how to get the action to override the @getify:.. setting to point it at npm instead of GPR. :/

[getify]

OK, I think I have finally cracked this problem.

I updated my workflow action YAML to have this npm-publish:

npm publish --@getify:registry=https://registry.npmjs.org/

That flag has the effect of overriding what's in the local .npmrc that redirected the original publish to GPR, so that actions can now publish to regular npm.

[bryanmacfarlane]

@getify - following up here. I'm glad you found a solution to your problem. Do you believe there's any action item for the setup-node action? Either a change or docs? Thanks!

[domoritz]

It would be great if publishing worked in a minimal example such as https://github.com/actions/setup-node/issues/52#issuecomment-535784556.

[phillmac]

Registry url seems to be ignored here https://github.com/phillmac/orbit-db-managers/blob/a50a35fca7b0d1b79871428b39deb8ecb1293edf/.github/workflows/npmpublish.yml#L40 even without a .npmrc present in the repo. It results in a n error in the GPR publish: npm ERR! 401 Unauthorized - PUT https://registry.npmjs.org/orbit-db-managers - You must be logged in to publish packages. Any solution to this?

[bryanmacfarlane]

@phillmac - can create a separate issue for your failure. I think I may know it is and looks to be different than the issue from @getify - I'll follow up on that issue

[affrae]

Hi all - here is a workflow that publishes to both NPMJS and GPR, without needing .npmrc workarounds:

Just replace <@OWNER> with appropriate scope (eg for me it would be @affrae), and use your version of npm_token

Is working at https://github.com/affrae/fib-tools

name: Publish to NPMJS and GPR

on:
  push:
    branches:
      - master

jobs:
  publish-to-npm-and-gpr:
    runs-on: ubuntu-latest
    steps:

      # Checkout the repo
      - uses: actions/checkout@master

      # Update package version and set up git
      - uses: actions/setup-node@master
      - name: Update package version and setup git
        run: |
          git config user.name "Actions User"
          git config user.email noreply@github.com
          npm version 1.0.$(date +%s)

      # Publish to NPMJS
      - uses: actions/setup-node@master
        with:
          node-version: 12
          registry-url: 'https://registry.npmjs.org/'
      - name: Publish to NPMJS
        run: |
          npm config set //registry.npmjs.org/:_authToken=$NODE_AUTH_TOKEN
          npm config set scope "<@OWNER>"
          npm config list
          npm publish --access public 
        env:
          CI: true
          NODE_AUTH_TOKEN: ${{secrets.npm_token}}

      # Publish to GitHub Package Registry
      - uses: actions/setup-node@master
        with:
          node-version: 12
          registry-url: https://npm.pkg.github.com/
          scope: '<@OWNER>'
      - name: Publish to GitHub Package Registry
        run: npm publish
        env:
          NODE_AUTH_TOKEN: ${{github.token}}

[getify]

FWIW, this issue is not about "publishing to both npm and GPR". It's about publishing to npm after publishing to GPR, which in the case of having a .nmprc file, AND the npm package being scoped the same as the GPR package, presents this specific problem I was having.

Unclear if others will ever be in exactly that specific scenario.

[affrae]

I understand - but what if you try my Publish to NPMJS step, using the npm config commands and and env I used? I had problems publishing to npm as well until I used those. I would hope that the config commands would override those in the .npmrc file and I had not seen anyone mention npm config until now.

[getify]

I didn't try npm config commands -- interesting idea -- but I did essentially configure npm via command-line flags, as mentioned in this comment: https://github.com/actions/setup-node/issues/52#issuecomment-536544414

[cjonasw]

Not sure if this helps, I was also running into this... I was just missing the @org-name from the name. Also, the publishConfig is the alternative to using the .npmrc; which I understand you don't want to do.

So your package.json would look like this:

  "name": "@org-name/package-name",
  "version": "1.0.0",
  "publishConfig": {
    "registry": "https://npm.pkg.github.com/"
  },
  "repository": {
    "type": "git",
    "url": "git://github.com/org-name/repository-name.git"
  }
}

https://help.github.com/en/github/managing-packages-with-github-package-registry/configuring-npm-for-use-with-github-package-registry#configuring-a-package-scope-using-a-local-npmrc

Only add repository if I want to have the package name to be different from repo.

Hope that helps.

[easa]

Hi All, I have another solution. Only the package.json registry would work, and the bash registry setting doesn't work on GPR publishing! So I copied the registry on package.json right before publishing! May you look at this gist please! 🙃

[getify]

I doubt others will be in such a specific situation as I was, especially given now that github owns npm and will probably more closely integrate the two. I expect eventually this is a non-issue. Closing for now.

[sriharikapu]

I found the solution for this @getify You basically need to publish your package as private

[lsandini]

FWIW, this issue is not about "publishing to both npm and GPR". It's about publishing to npm after publishing to GPR, which in the case of having a .nmprc file, AND the npm package being scoped the same as the GPR package, presents this specific problem I was having.

Unclear if others will ever be in exactly that specific scenario.

I am in a very similar scenario. I have been publishing my private package to GPR and now I am taking it public to npm. I have .npmrc in my repo. All attempts to publish to npm after GPR have failed, although I specify my scope, the correct registry, etc... Puzzling.

[lsandini]

I am really not a pro, but it seems you are trying to publish to github packages, and in your .npmrc you have :

registry=https://registry.npmjs.org/
...

Could this be the problem ?