fix: enforce public npm registry to fix GitHub Actions npm ci failures

Author: 王璨

scripts/lockfile-check.mjs

@@ -1,28 +1,39 @@
-// Check that package-lock.json doesn't leak private registry URLs
+// Check that package-lock.json files don't leak private registry URLs
 import { readFileSync } from "fs";
 import { resolve, dirname } from "path";
 import { fileURLToPath } from "url";
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
-const lockfilePath = resolve(__dirname, "..", "package-lock.json");
-const lockfile = readFileSync(lockfilePath, "utf8");
+const LOCKFILES = [
+  resolve(__dirname, "..", "package-lock.json"),
+  resolve(__dirname, "..", "web", "package-lock.json"),
+];
 
 const PRIVATE_REGISTRIES = [
   "bnpm.byted.org",
   // add other private registries here if needed
 ];
 
-const found = PRIVATE_REGISTRIES.filter((reg) => lockfile.includes(reg));
+let fail = false;
+for (const lockfilePath of LOCKFILES) {
+  const lockfile = readFileSync(lockfilePath, "utf8");
+  const found = PRIVATE_REGISTRIES.filter((reg) => lockfile.includes(reg));
+
+  if (found.length > 0) {
+    console.error(
+      `❌ ${lockfilePath} contains private registry URLs:\n` +
+        `   ${found.join(", ")}`
+    );
+    fail = true;
+  }
+}
 
-if (found.length > 0) {
+if (fail) {
   console.error(
-    `❌ LOCKFILE CHECK FAILED: package-lock.json contains private registry URLs:\n` +
-      `   ${found.join(", ")}\n` +
-      `\n` +
-      `   Fix: ensure project .npmrc has 'registry=https://registry.npmjs.org',\n` +
+    `\n   Fix: ensure .npmrc has 'registry=https://registry.npmjs.org',\n` +
       `   then run: rm -rf node_modules package-lock.json && npm install\n`
   );
   process.exit(1);
 }
 
-console.log("✅ lockfile:check passed — all packages use public registry");
+console.log("✅ lockfile:check passed — all lockfiles use public registry");

web/.npmrc

@@ -0,0 +1 @@
+registry=https://registry.npmjs.org