marc0olo
commented
2 years ago @davidyuk @thepiwo @kenodressel any idea how to solve that?
Closed dincho closed 2 years ago
marc0olo
commented
2 years ago @davidyuk @thepiwo @kenodressel any idea how to solve that?
davidyuk
commented
2 years ago Have you checked is secrets.NPM_TOKEN available in publish workflow? Can GitHub handle it as unsave run (not from a protected branch?) and don't provide secrets?
dincho
commented
2 years ago I suspect 5460dbdbe2fb2358a2e85ffe9a1de4a7d647a982
dincho
commented
2 years ago Have you checked is
secrets.NPM_TOKENavailable in publish workflow? Can GitHub handle it as unsave run (not from a protected branch?) and don't provide secrets?
I can't find clear docs on the subject, but as I understand anyone with write access (as action actor) can read the repo secrets. That also excludes forked PRs
https://github.com/aeternity/aepp-calldata-js/runs/7994961473?check_suite_focus=true#step:6:119
I'm not really sure what's changed since 1.1.1 release which was successful run.
The NPM token used in https://github.com/aeternity/aepp-calldata-js/blob/master/.github/workflows/publish.yml#L19 have been updated to make sure there is no something wrong with it. It's a personal token of my account not org (yeah .. NPM sux) with type set to "Automation" which should bypass 2FA.
My account can publish the package locally.
It's set as GH Actions secret in this repo settings.