Skip to content

Remove NODE_AUTH_TOKEN #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dcramer merged 1 commit into from
Jan 31, 2026
Merged

Remove NODE_AUTH_TOKEN #64

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,7 @@
- run: pnpm build:action

- name: Publish to npm
run: npm publish --provenance --access public

Check failure on line 33 in .github/workflows/release.yml

View check run for this annotation

@sentry/warden / warden: notseer

npm publish will fail without NODE_AUTH_TOKEN authentication 

Removing NODE_AUTH_TOKEN env var breaks npm authentication. The `actions/setup-node` with `registry-url` creates an .npmrc expecting NODE_AUTH_TOKEN for auth. The `--provenance` flag adds provenance attestation but does NOT replace authentication - it's supplementary. This will cause `npm publish` to fail with 401 Unauthorized.
Copy link
Contributor

@sentry-warden sentry-warden bot Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 npm publish will fail without NODE_AUTH_TOKEN authentication (high confidence)

Removing NODE_AUTH_TOKEN env var breaks npm authentication. The actions/setup-node with registry-url creates an .npmrc expecting NODE_AUTH_TOKEN for auth. The --provenance flag adds provenance attestation but does NOT replace authentication - it's supplementary. This will cause npm publish to fail with 401 Unauthorized.

Suggested fix: Restore the NODE_AUTH_TOKEN environment variable for the npm publish step

Suggested change
run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

warden: notseer

Copy link
Member Author

@dcramer dcramer Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idk the robot said to try it

env:
Copy link

@cursor cursor bot Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing npm authentication token breaks package publishing

High Severity

The NODE_AUTH_TOKEN environment variable was removed from the npm publish step. When actions/setup-node is configured with registry-url, it creates an .npmrc that expects authentication via NODE_AUTH_TOKEN. Without this environment variable, npm publish will fail with an authentication error because npm cannot authenticate with the registry.

Fix in Cursor Fix in Web

NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

- name: Get version info
id: version
Expand Down
Loading