Skip to content

JavaScript: Remove registry-url to allow trusted publishing to NPM#1647

Merged
marcoroth merged 1 commit into
mainfrom
registry-url
Apr 18, 2026
Merged

JavaScript: Remove registry-url to allow trusted publishing to NPM#1647
marcoroth merged 1 commit into
mainfrom
registry-url

Conversation

@marcoroth

@marcoroth marcoroth commented Apr 18, 2026

Copy link
Copy Markdown
Owner

The publish job used actions/setup-node with registry-url, which automatically sets NODE_AUTH_TOKEN to the GitHub token. npm then tried to authenticate with that GitHub token against the npm registry, which npm doesn't recognize, resulting in a 404.

The OIDC provenance signing worked fine (it uses a separate code path), but the actual publish authentication never fell through to the OIDC trusted publishing flow because NODE_AUTH_TOKEN was already set.

Removing registry-url should prevent setup-node from creating the .npmrc and setting NODE_AUTH_TOKEN, so npm defaults to its OIDC-based authentication when --provenance is used with id-token: write.

@marcoroth marcoroth added this to the v1.0.0 milestone Apr 18, 2026
@marcoroth marcoroth merged commit 9ed7acd into main Apr 18, 2026
15 checks passed
@marcoroth marcoroth deleted the registry-url branch April 18, 2026 23:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant