diff --git a/.github/actions/npm-publish/action.yml b/.github/actions/npm-publish/action.yml index 57679d5c3..d50308bfa 100644 --- a/.github/actions/npm-publish/action.yml +++ b/.github/actions/npm-publish/action.yml @@ -1,15 +1,21 @@ name: Publish release to npm +description: Publishes a package to npm registry with authentication and verification inputs: node-version: + description: Node.js version to use required: true npm-token: + description: NPM authentication token required: true version: + description: Version to publish required: true require-build: - default: true + description: Whether to run build step + default: 'true' release-directory: + description: Directory containing package to publish default: './' runs: @@ -35,10 +41,33 @@ runs: shell: bash run: npm run build + - name: Verify npm authentication + shell: bash + run: | + echo "Verifying npm authentication..." + echo "npm version: $(npm --version)" + echo "node version: $(node --version)" + echo "npm config list:" + npm config list + echo "Checking authentication:" + npm whoami + echo "npm registry: $(npm config get registry)" + echo "Checking user permissions for auth0 package..." + npm access list packages --json || echo "Could not list packages" + echo "Checking package collaborators..." + npm owner ls auth0 || echo "Could not list owners" + echo "Checking npm token..." + npm token list || echo "Could not list tokens" + echo "Testing npm publish dry run..." + npm publish --dry-run || echo "Dry run failed" + env: + NODE_AUTH_TOKEN: ${{ inputs.npm-token }} + - name: Publish release to NPM shell: bash working-directory: ${{ inputs.release-directory }} run: | + # Determine the appropriate tag if [[ "${VERSION}" == *"beta"* ]]; then TAG="beta" elif [[ "${VERSION}" == *"alpha"* ]]; then @@ -46,7 +75,22 @@ runs: else TAG="latest" fi - npm publish --provenance --tag $TAG + + echo "Publishing package auth0@${VERSION} with tag ${TAG}..." + echo "Package details:" + echo "Name: $(grep '"name"' package.json | cut -d'"' -f4)" + echo "Version: $(grep '"version"' package.json | cut -d'"' -f4)" + echo "Repository: $(grep -A2 '"repository"' package.json | grep '"url"' | cut -d'"' -f4)" + + echo "Final authentication check before publish:" + npm whoami + + echo "Running npm publish..." + set -e # Exit on any error + npm publish --provenance --tag $TAG --verbose + + echo "✅ Package published successfully!" + echo "Package URL: https://www.npmjs.com/package/auth0/v/${VERSION}" env: NODE_AUTH_TOKEN: ${{ inputs.npm-token }} VERSION: ${{ inputs.version }} diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml index 21a57c446..6e79769b8 100644 --- a/.github/workflows/npm-release.yml +++ b/.github/workflows/npm-release.yml @@ -26,6 +26,9 @@ jobs: if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest environment: release + permissions: + contents: read + id-token: write # For publishing to npm using --provenance steps: # Checkout the code diff --git a/.github/workflows/test-npm-auth.yml b/.github/workflows/test-npm-auth.yml new file mode 100644 index 000000000..156d026dc --- /dev/null +++ b/.github/workflows/test-npm-auth.yml @@ -0,0 +1,80 @@ +name: Test NPM Authentication + +on: + workflow_dispatch: + push: + branches-ignore: + - master + +permissions: + contents: read + id-token: write + +jobs: + test-npm-auth: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version: '18' + registry-url: 'https://registry.npmjs.org' + + - name: Test npm authentication + run: | + echo "Testing npm authentication..." + echo "Registry: $(npm config get registry)" + echo "Auth token configured: $(if [ -n "$NODE_AUTH_TOKEN" ]; then echo "Yes"; else echo "No"; fi)" + echo "Token length: ${#NODE_AUTH_TOKEN}" + echo "Token prefix: ${NODE_AUTH_TOKEN:0:8}..." + echo "" + echo "Checking .npmrc file:" + cat ~/.npmrc || echo "No .npmrc found in home directory" + echo "" + echo "Checking working directory .npmrc:" + cat .npmrc || echo "No .npmrc found in working directory" + echo "" + echo "NPM config list:" + npm config list + echo "" + echo "Attempting npm whoami (this may fail):" + npm whoami || echo "npm whoami failed - this confirms authentication issue" + echo "" + echo "Exit code from npm whoami: $?" + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + + - name: Test package access + run: | + echo "Checking package information (without auth)..." + npm view auth0 version || echo "Could not view auth0 package" + echo "" + echo "Attempting to list packages (requires auth):" + npm access list packages --json || echo "Could not list packages - confirms auth issue" + echo "" + echo "Attempting to check auth0 package ownership:" + npm owner ls auth0 || echo "Could not list owners - may require auth" + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + + - name: Debug token type + run: | + echo "🔍 DEBUGGING NPM TOKEN ISSUE" + echo "================================" + echo "" + echo "❌ The 401 Unauthorized error indicates:" + echo " 1. Token is invalid/expired" + echo " 2. Token is read-only (common cause)" + echo " 3. Token format is incorrect" + echo "" + echo "🔧 NEXT STEPS:" + echo " 1. Go to https://www.npmjs.com/settings/tokens" + echo " 2. Check if your token shows 'Read-only'" + echo " 3. If yes, create new 'Automation' token" + echo " 4. Update GitHub secret NPM_TOKEN" + echo "" + echo "💡 Token should be 'Automation' type for CI/CD publishing" + continue-on-error: true