intuit
Using auto shipit without npmtoken but with npm trusted publishing activated
Hi, this morning a received an email from npmjs.org indicating that I need to switch imediately from
legacy access tokens to granular acces tokens or even better to use npm trusted publishing between github and npm via oidc.
In npm I created a trusted publisher for my github project and hence removed the npmtoken from my github actions release workflow. After doing that my release fails with the following error message:
error Error: Failed to replace env in config: ${NPM_TOKEN} at /usr/local/lib/node_modules/yarn/lib/cli.js:95453:13 at String.replace (<anonymous>) at envReplace (/usr/local/lib/node_modules/yarn/lib/cli.js:95448:16) at Function.normalizeConfig (/usr/local/lib/node_modules/yarn/lib/cli.js:31940:69) at NpmRegistry.<anonymous> (/usr/local/lib/node_modules/yarn/lib/cli.js:31970:34) at Generator.next (<anonymous>) at step (/usr/local/lib/node_modules/yarn/lib/cli.js:310:30) at /usr/local/lib/node_modules/yarn/lib/cli.js:321:13
As I'm using npx auto shipit --base-branch=main to ship my code to npm I suppose this error has something to do with auto not supporting npm trusted publishing at the moment.
Or am I completely wrong an I've just not configured the whole thing properly.
I'm really looking foward on any info and advice on this matter.
Thank you in advance,
Stefan
As I'm using npx auto shipit --base-branch=main to ship my code to npm I suppose this error has something to do with auto not supporting npm trusted publishing at the moment. Or am I completely wrong an I've just not configured the whole thing properly.
We are using npm trusted publishing in this repo that uses auto without issue. If you're in a monorepo you must use Lerna v9 as earlier versions don't support trusted publishing.
Looking at your error stack trace it appears to be coming from yarn.
error Error: Failed to replace env in config: ${NPM_TOKEN} at /usr/local/lib/node_modules/yarn/lib/cli.js:95453:13 at String.replace (<anonymous>) at envReplace (/usr/local/lib/node_modules/yarn/lib/cli.js:95448:16) at Function.normalizeConfig (/usr/local/lib/node_modules/yarn/lib/cli.js:31940:69) at NpmRegistry.<anonymous> (/usr/local/lib/node_modules/yarn/lib/cli.js:31970:34) at Generator.next (<anonymous>) at step (/usr/local/lib/node_modules/yarn/lib/cli.js:310:30) at /usr/local/lib/node_modules/yarn/lib/cli.js:321:13
Yarn v1 doesn't support trusted publishing. Yarn berry requires a recent release to support trusted publishing.
Would probably need more info on your setup to help you further.
