Skip to content

fix(ci): scope GPR registry to @lottiefiles for publish only#836

Merged
theashraf merged 1 commit into
mainfrom
fix/ci-gpr-release-registry
May 4, 2026
Merged

fix(ci): scope GPR registry to @lottiefiles for publish only#836
theashraf merged 1 commit into
mainfrom
fix/ci-gpr-release-registry

Conversation

@theashraf

@theashraf theashraf commented May 4, 2026

Copy link
Copy Markdown
Member

Description

The gpr-release job in .github/workflows/release.yml set registry-url: https://npm.pkg.github.com/ on actions/setup-node without a scope input. With no scope, actions/setup-node writes a global registry=... line to ~/.npmrc, which routes every pnpm install package fetch through GitHub Packages — including third-party deps and internal @lottiefiles/* dev dependencies that only live on npmjs.

That caused the most recent release to fail at install:

ERR_PNPM_FETCH_404  GET https://npm.pkg.github.com/@lottiefiles/commitlint-config/-/commitlint-config-2.0.0.tgz: Not Found - 404

Failing run: https://github.com/LottieFiles/dotlottie-web/actions/runs/25301433588/job/74169461287

Why it didn't fail until now

The misconfig has been latent for weeks, masked by actions/setup-node's cache: pnpm store hits:

Run Output
2026-04-14 ✓ resolved 1396, reused 1392, downloaded 0, added 1396 (cache hit, no real fetch)
2026-05-04 ✗ resolved 1400, reused 0, downloaded 125, added 125 (cache miss → real fetch → 404)

Recent dependency bumps (Svelte 5 #722, tsdown #832, Svelte deps #834, Dependabot consolidation #830) changed pnpm-lock.yaml, invalidating the lockfile-keyed pnpm store cache. With no cache hit, pnpm had to actually fetch from the registry — surfacing the bug.

Fix

Install from npmjs (the default), then append the GPR scope mapping to .npmrc only before changeset publish runs:

  • Third-party + dev deps resolve from npmjs as expected.
  • @lottiefiles scoped publishes still go to GitHub Packages, authenticated via GITHUB_TOKEN.
  • The token is passed through env: rather than being expanded directly into the shell command body, keeping secrets out of the script source.

Verification

Verified end-to-end on a temporary workflow run against this branch (workflow file dropped before merge):

Check Output Conclusion
pnpm install (cold cache) resolved 1400, reused 0, downloaded 1394, added 1400, done Full cold-cache install of all 1400 packages with no 404 — same conditions that broke run 25301433588.
npm whoami --registry=https://npm.pkg.github.com/ github-actions[bot] GPR auth via the appended .npmrc works.

Package(s) affected

  • @lottiefiles/dotlottie-web (core)
  • @lottiefiles/dotlottie-react
  • @lottiefiles/dotlottie-vue
  • @lottiefiles/dotlottie-svelte
  • @lottiefiles/dotlottie-solid
  • @lottiefiles/dotlottie-wc

(CI-only change — no published package contents change.)

Type of change

  • Bug fix (non-breaking)
  • New feature (non-breaking)
  • Breaking change
  • Chore (build, CI, docs, refactor)

Checklist

  • Changes have been tested locally
  • Tests have been added or updated
  • Changeset has been added (if applicable)

Follow-up

After this lands on main, re-running the gpr-release job for failed run 25301433588 will pick up the fixed workflow from main and complete the GPR publish for the version that already shipped to npm.

@changeset-bot

changeset-bot Bot commented May 4, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: a88e5d9

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions

github-actions Bot commented May 4, 2026

Copy link
Copy Markdown
Contributor

size-limit report 📦

Path Size Loading time (3g) Running time (snapdragon) Total time
@lottiefiles/dotlottie-web 26.91 KB (0%) 539 ms (0%) 10 ms (+101.94% 🔺) 548 ms
@lottiefiles/dotlottie-web WASM 484.83 KB (0%) 9.7 s (0%) 0 ms (+100% 🔺) 9.7 s
@lottiefiles/dotlottie-react 28.24 KB (0%) 565 ms (0%) 6 ms (-57.6% 🔽) 571 ms
@lottiefiles/dotlottie-vue 35.31 KB (0%) 707 ms (0%) 10 ms (+24.26% 🔺) 716 ms
@lottiefiles/dotlottie-wc 32.85 KB (0%) 657 ms (0%) 19 ms (+10.73% 🔺) 676 ms
@lottiefiles/dotlottie-svelte 40.85 KB (0%) 817 ms (0%) 9 ms (+31.99% 🔺) 826 ms
@lottiefiles/dotlottie-solid 33.63 KB (0%) 673 ms (0%) 5 ms (+22.1% 🔺) 677 ms

The gpr-release job set `registry-url: https://npm.pkg.github.com/` on
actions/setup-node without a `scope`, which writes a global
`registry=...` to ~/.npmrc. That routed every `pnpm install` package
fetch through GitHub Packages, including third-party deps and internal
@LottieFiles dev deps that only live on npmjs (e.g.
@lottiefiles/commitlint-config@2.0.0), producing 404s.

The misconfig was masked for weeks by setup-node's `cache: pnpm` store
hits — the recent dependency bumps (Svelte 5, tsdown, etc.) invalidated
the lockfile-keyed cache, forcing real fetches and surfacing the bug.

Install from npmjs (the default), then append the GPR scope mapping
to `.npmrc` only before `changeset publish` runs. Keeps third-party
resolution on npmjs while still authenticating @LottieFiles publishes
to GitHub Packages. Pass the token through `env` to avoid expanding
secrets directly into the shell command body.

Verified end-to-end on a temporary workflow against this branch:
fresh cold-cache `pnpm install` resolved all 1400 packages with no
404, and `npm whoami --registry=https://npm.pkg.github.com/`
returned `github-actions[bot]`.
@theashraf theashraf force-pushed the fix/ci-gpr-release-registry branch from 7888949 to a88e5d9 Compare May 4, 2026 05:12
@theashraf theashraf merged commit 0d0f87b into main May 4, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant