401 when publishing to npm

[thekevinscott]

Description:
pnpm publish fails with a 401.

Action version:
actions/setup-node@v4

Platform:

• Ubuntu
• macOS
• Windows

Runner type:

• Hosted
• Self-hosted

Tools version:
Node: 16.x
PNPM: 8

Repro steps:
I have a shared workflow https://github.com/thekevinscott/Autogrammer/blob/main/.github/workflows/js-shared-publish.yaml that is failing with 401. The workflow is:

on:
  workflow_call:
    inputs:
      package:
        required: true
        description: "Path to package"
        type: string

jobs:
  publish:
    runs-on: "ubuntu-latest"

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: '16.x'
          registry-url: 'https://registry.npmjs.org'

      - name: Cat .npmrc
        run: |
          cat $NPM_CONFIG_USERCONFIG

      - uses: pnpm/action-setup@v3
        name: Install pnpm
        with:
          version: 8
          run_install: false

      - name: Get pnpm store directory
        
        run: |
          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV

      - uses: actions/cache@v4
        name: Setup pnpm cache
        with:
          path: ${{ env.STORE_PATH }}
          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
          restore-keys: |
            ${{ runner.os }}-pnpm-store-

      - name: Install dependencies
        working-directory: ${{ inputs.package }}
        run: pnpm install

      - name: Build package
        working-directory: ${{ inputs.package }}
        run: pnpm build

      - name: 'Check build output'
        working-directory: ${{ inputs.package }}
        run: 'pnpm build:check'

      - run: pnpm publish --no-git-checks --provenance --access public
        working-directory: ${{ inputs.package }}
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

permissions:
  id-token: write

This is an example of an executed action. The error reports:

npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in to https://registry.npmjs.org/
npm ERR! need auth You need to authorize this machine using `npm adduser`

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/runner/.npm/_logs/2024-05-07T13_20_44_932Z-debug-0.log
Error: Process completed with exit code 1.

When I cat $NPM_CONFIG_USERCONFIG, I see:

//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}
registry=https://registry.npmjs.org/
always-auth=false

Whereas in the docs, it's indicated that always-auth is supposed to be true.

Could that be the source of the troubles? Or could it be related to the usage of a shared workflow?

Expected behavior:
I'd like to be able to publish.

Actual behavior:
Publish reports 401.

[aparnajyothi-y]

Hello @thekevinscott, Thank you for creating this issue and we will look into it :)

[thekevinscott]

This is user error, and it's related to using a shared workflow.

For anyone else who runs into this, the issue is that the caller workflow needs to explicitly mark secrets to inherit. So for example:

name: Publish package

on:
  push:
    tags:
      - "v*"

jobs:
  publish:
    uses: ./.github/workflows/js-shared-publish.yaml
    with:
      package: "./packages/my-package"
    secrets: inherit # <--- ensure this line is present

Without that, the NPM_TOKEN secret is not present in the shared workflow and publish fails.

I looked into .npmrc, and it doesn't seem to matter whether always-auth=false is true or false. It seems to default to false, which works, although the docs do say it should be true.