ci(release): clarify missing npm token blocker

iexitdev · iexitdev · commit 54f88a18d1b7 · 2026-05-05T23:55:28.000-04:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -40,7 +40,19 @@ jobs:
 
       - name: Verify npm publish access
         run: |
-          npm whoami
+          if [ -z "${NODE_AUTH_TOKEN:-}" ]; then
+            echo "NPM_TOKEN is not configured for this repository or environment."
+            echo "Add a GitHub Actions secret named NPM_TOKEN with npm publish access before rerunning."
+            exit 1
+          fi
+
+          if ! NPM_USER=$(npm whoami 2>&1); then
+            echo "NPM_TOKEN could not authenticate with npm."
+            echo "${NPM_USER}"
+            exit 1
+          fi
+
+          echo "Authenticated to npm as ${NPM_USER}."
 
           if ! npm access list packages @chart-kit --json >/dev/null; then
             echo "NPM_TOKEN cannot access the @chart-kit npm scope."
diff --git a/docs/release/beta-checklist.md b/docs/release/beta-checklist.md
@@ -10,7 +10,7 @@ This checklist tracks CKV2-017 readiness for the H5-approved Developer Preview.
 - Package strategy: `react-native-chart-kit` remains the compatibility path; `@chart-kit/react-native` is the modern v2 API for new adopters
 - Dist-tag target for Developer Preview: `next`
 - Publish manifest: [package-manifest.json](evidence/package-manifest.json) is the source of truth for Developer Preview-publishable packages. It publishes `@chart-kit/core`, `@chart-kit/svg-renderer`, `@chart-kit/react-native`, and then the root compatibility package `react-native-chart-kit`; it pack-checks but does not publish `@chart-kit/skia-renderer` or `@chart-kit/pro`.
-- npm access prerequisite: the `NPM_TOKEN` used by GitHub Actions must be able to create and publish public packages under the `@chart-kit` scope. The publish workflow runs `npm whoami` and `npm access list packages @chart-kit --json` before expensive build/test work so missing scope access fails early.
+- npm access prerequisite: the `NPM_TOKEN` used by GitHub Actions must exist, authenticate with npm, and be able to create and publish public packages under the `@chart-kit` scope. The publish workflow checks for the secret, runs `npm whoami`, and runs `npm access list packages @chart-kit --json` before expensive build/test work so missing auth or scope access fails early.
 
 ## Required Checks
 
diff --git a/scripts/check-release-gates.mjs b/scripts/check-release-gates.mjs
@@ -39,6 +39,7 @@ const requiredFiles = [
   "docs/release/evidence/package-manifest.json",
   "docs/release/evidence/skia-renderer-evidence.json",
   "docs/release/evidence/skia-renderer-matrix.json",
+  ".github/workflows/publish.yml",
   ".github/workflows/native-release.yml",
   "scripts/generate-native-qa-checklists.mjs",
   "scripts/record-native-workflow-evidence.mjs",
@@ -507,6 +508,31 @@ addCheck({
   status: nativeWorkflowArtifactChecks.length === 0 ? "pass" : "fail"
 });
 
+const publishWorkflowSource = await readRepoFile(".github/workflows/publish.yml");
+const publishWorkflowSafetyChecks = [
+  "secrets.NPM_TOKEN",
+  "NODE_AUTH_TOKEN",
+  "NPM_TOKEN is not configured",
+  "npm whoami",
+  "npm access list packages @chart-kit --json",
+  "scripts/list-release-packages.mjs --publishable",
+  "npm publish \"${PUBLISH_TARGET}\" --ignore-scripts --access public --provenance --tag"
+].filter((needle) => !publishWorkflowSource.includes(needle));
+
+addCheck({
+  detail:
+    publishWorkflowSafetyChecks.length > 0
+      ? `Missing publish workflow safety config: ${publishWorkflowSafetyChecks.join(
+          ", "
+        )}`
+      : "",
+  evidence: ".github/workflows/publish.yml",
+  id: "workflow:publish-safety",
+  message:
+    "Publish workflow validates npm auth and uses the release package manifest",
+  status: publishWorkflowSafetyChecks.length === 0 ? "pass" : "fail"
+});
+
 const candidateJavaHomes = [
   process.env.JAVA_HOME,
   "/opt/homebrew/opt/openjdk@17/libexec/openjdk.jdk/Contents/Home",
diff --git a/scripts/check-release-gates.test.mjs b/scripts/check-release-gates.test.mjs
@@ -199,4 +199,17 @@ describe("release gate checker", () => {
       status: "pass"
     });
   });
+
+  it("checks npm publish workflow auth and manifest safety", () => {
+    const report = runGateReportJson();
+
+    expect(
+      report.checks.find((check) => check.id === "workflow:publish-safety")
+    ).toMatchObject({
+      evidence: ".github/workflows/publish.yml",
+      message:
+        "Publish workflow validates npm auth and uses the release package manifest",
+      status: "pass"
+    });
+  });
 });
