ci(release): pin npm registry and drop stale version lifecycle scripts#1792
Merged
Conversation
The `postversion` script (`git push && git push --tags && npm publish`) is a relic of the pre-semantic-release manual flow. Under semantic-release, `@semantic-release/npm`'s prepare step runs `npm version`, which fires the `preversion`/`version`/`postversion` lifecycle scripts and triggers a rogue `npm publish`. Under Yarn 1 that publish inherits `npm_config_registry=https://registry.yarnpkg.com` and fails with ENEEDAUTH. Remove the three version lifecycle scripts (semantic-release owns versioning, tagging and publishing now) and add a root `.npmrc` pinning the registry to https://registry.npmjs.org so any `npm publish` targets the public registry regardless of Yarn's injected env.
Contributor
|
Size Change: 0 B Total Size: 536 kB ℹ️ View Unchanged
|
|
🎉 This PR is included in version 8.61.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fixes the
release-v8semantic-release run that fails during@semantic-release/npm's prepare step withnpm error need auth ... https://registry.yarnpkg.com(ENEEDAUTH).Root cause
@semantic-release/npm's prepare step runsnpm version <next>to stamp the version intopackage.json.npm versionfires the npm lifecycle scripts, andrelease-v8still carries the pre-semantic-release manual-release scripts:So
postversionruns a barenpm publishin the middle of semantic-release's prepare. Under Yarn 1 (whichrelease-v8uses) that publish inheritsnpm_config_registry=https://registry.yarnpkg.com(Yarn 1 injects it into every subprocess), so it targets the Yarn mirror, where the auth semantic-release set up does not apply, and dies withENEEDAUTH.masterdoes not hit this: it has noversion/postversionscripts, and Yarn Berry does not injectnpm_config_registry, sonpm publishuses the defaultregistry.npmjs.org.Changes
preversion/version/postversionscripts frompackage.json. semantic-release owns versioning, tagging, and publishing now (@semantic-release/npm+@semantic-release/git); these scripts are dead relics that only fire a rogue publish. They are not used byinitiate_release.ymleither (that flow usesnpm run changelog, notnpm version)..npmrcpinningregistry=https://registry.npmjs.org/. Yarn 1 reads this and propagates it to subprocesses, so anynpm publishtargets the public registry regardless of Yarn's injected env. This is the registry override; it only affects resolution, not the lockfile (existingresolvedURLs inyarn.lockare honored by--frozen-lockfile).With
postversiongone, semantic-release's own publish (which already passed OIDC token exchange against the npm registry inverifyConditions) is the only publish, and it targetsregistry.npmjs.orgcorrectly.Heads up: partial state on release-v8 from the failed run
The failed run got far enough that
@semantic-release/git's prepare committedchore(release): 8.61.0 [skip ci](a CHANGELOG.md entry) torelease-v8before the npm prepare crashed. But:v8.61.0git tag was pushed, and8.61.0was never published to npm.So
8.61.0is still "unreleased" as far as semantic-release is concerned, and the next run will target8.61.0again. Because the CHANGELOG already contains an8.61.0section, the next run's@semantic-release/changelogwill prepend a second8.61.0block. It is cosmetic and does not block the release, but if you want a clean changelog, revert thechore(release): 8.61.0commit (or drop that section) before re-running. Happy to do that in a follow-up if you want.After merge
Re-dispatch the
Releaseworkflow fromrelease-v8(a dry run first is a good check).