fix(ci): scope GPR registry to @lottiefiles for publish only#836
Merged
Conversation
|
Contributor
size-limit report 📦
|
The gpr-release job set `registry-url: https://npm.pkg.github.com/` on actions/setup-node without a `scope`, which writes a global `registry=...` to ~/.npmrc. That routed every `pnpm install` package fetch through GitHub Packages, including third-party deps and internal @LottieFiles dev deps that only live on npmjs (e.g. @lottiefiles/commitlint-config@2.0.0), producing 404s. The misconfig was masked for weeks by setup-node's `cache: pnpm` store hits — the recent dependency bumps (Svelte 5, tsdown, etc.) invalidated the lockfile-keyed cache, forcing real fetches and surfacing the bug. Install from npmjs (the default), then append the GPR scope mapping to `.npmrc` only before `changeset publish` runs. Keeps third-party resolution on npmjs while still authenticating @LottieFiles publishes to GitHub Packages. Pass the token through `env` to avoid expanding secrets directly into the shell command body. Verified end-to-end on a temporary workflow against this branch: fresh cold-cache `pnpm install` resolved all 1400 packages with no 404, and `npm whoami --registry=https://npm.pkg.github.com/` returned `github-actions[bot]`.
7888949 to
a88e5d9
Compare
This was referenced May 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The
gpr-releasejob in.github/workflows/release.ymlsetregistry-url: https://npm.pkg.github.com/onactions/setup-nodewithout ascopeinput. With no scope,actions/setup-nodewrites a globalregistry=...line to~/.npmrc, which routes everypnpm installpackage fetch through GitHub Packages — including third-party deps and internal@lottiefiles/*dev dependencies that only live on npmjs.That caused the most recent release to fail at install:
Failing run: https://github.com/LottieFiles/dotlottie-web/actions/runs/25301433588/job/74169461287
Why it didn't fail until now
The misconfig has been latent for weeks, masked by
actions/setup-node'scache: pnpmstore hits:resolved 1396, reused 1392, downloaded 0, added 1396(cache hit, no real fetch)resolved 1400, reused 0, downloaded 125, added 125(cache miss → real fetch → 404)Recent dependency bumps (Svelte 5 #722, tsdown #832, Svelte deps #834, Dependabot consolidation #830) changed
pnpm-lock.yaml, invalidating the lockfile-keyed pnpm store cache. With no cache hit, pnpm had to actually fetch from the registry — surfacing the bug.Fix
Install from npmjs (the default), then append the GPR scope mapping to
.npmrconly beforechangeset publishruns:@lottiefilesscoped publishes still go to GitHub Packages, authenticated viaGITHUB_TOKEN.env:rather than being expanded directly into the shell command body, keeping secrets out of the script source.Verification
Verified end-to-end on a temporary workflow run against this branch (workflow file dropped before merge):
pnpm install(cold cache)resolved 1400, reused 0, downloaded 1394, added 1400, donenpm whoami --registry=https://npm.pkg.github.com/github-actions[bot].npmrcworks.Package(s) affected
@lottiefiles/dotlottie-web(core)@lottiefiles/dotlottie-react@lottiefiles/dotlottie-vue@lottiefiles/dotlottie-svelte@lottiefiles/dotlottie-solid@lottiefiles/dotlottie-wc(CI-only change — no published package contents change.)
Type of change
Checklist
Follow-up
After this lands on
main, re-running thegpr-releasejob for failed run 25301433588 will pick up the fixed workflow frommainand complete the GPR publish for the version that already shipped to npm.