Merge branch 'main' into gha

Author: Saadnajmi

.ado/jobs/npm-publish.yml

@@ -8,6 +8,9 @@ jobs:
   variables:
     - name: BUILDSECMON_OPT_IN
       value: true
+    - name: USE_YARN_FOR_PUBLISH
+      value: false
+    
   timeoutInMinutes: 90
   cancelTimeoutInMinutes: 5
   templateContext:
@@ -49,12 +52,6 @@ jobs:
 
     # Disable Nightly publishing on the main branch
     - ${{ if endsWith(variables['Build.SourceBranchName'], '-stable') }}:
-      - script: |
-          echo "//registry.npmjs.org/:_authToken=$(npmAuthToken)" > ~/.npmrc
-          node .ado/scripts/prepublish-check.mjs --verbose --tag $(publishTag)
-        displayName: Set and validate npm auth
-        condition: and(succeeded(), eq(variables['publish_react_native_macos'], '1'))
-
       - script: |
           git switch $(Build.SourceBranchName)
           yarn nx release --skip-publish --verbose
@@ -64,18 +61,36 @@ jobs:
         condition: and(succeeded(), eq(variables['publish_react_native_macos'], '1'))
 
       - script: |
+          set -eox pipefail
           if [[ -f .rnm-publish ]]; then
             # https://github.com/microsoft/react-native-macos/issues/2580
             # `nx release publish` gets confused by the output of RNM's prepack script.
-            # Let's call `yarn npm publish` directly instead on the packages we want to publish.
-            # yarn nx release publish --tag ${{ parameters['publishTag'] }} --excludeTaskDependencies
-            yarn ./packages/virtualized-lists npm publish --tag ${{ parameters['publishTag'] }}
-            yarn ./packages/react-native npm publish --tag ${{ parameters['publishTag'] }}
+            # Let's call publish directly instead on the packages we want to publish.
+            # yarn nx release publish --tag $(publishTag) --excludeTaskDependencies
+            if [ "$(USE_YARN_FOR_PUBLISH)" = "true" ]; then
+              echo "Configuring yarn for npm publishing"
+              yarn config set npmPublishRegistry "https://registry.npmjs.org"
+              yarn config set npmAuthToken $(npmAuthToken)
+              echo "Publishing with yarn npm publish"
+              yarn ./packages/virtualized-lists npm publish --tag $(publishTag)
+              yarn ./packages/react-native npm publish --tag $(publishTag)
+            else
+              echo "Publishing with npm publish"
+              npm publish ./packages/virtualized-lists --tag $(publishTag) --registry https://registry.npmjs.org/ --//registry.npmjs.org/:_authToken=$(npmAuthToken)
+              npm publish ./packages/react-native      --tag $(publishTag) --registry https://registry.npmjs.org/ --//registry.npmjs.org/:_authToken=$(npmAuthToken)
+            fi
           fi
         displayName: Publish packages
         condition: and(succeeded(), eq(variables['publish_react_native_macos'], '1'))
 
     - script: |
-        rm -f ~/.npmrc
-      displayName: Remove npmrc if it exists
+        if [ "$(USE_YARN_FOR_PUBLISH)" = "true" ]; then
+          echo "Cleaning up yarn npm configuration"
+          yarn config unset npmAuthToken || true
+          yarn config unset npmPublishRegistry || true
+        else
+          echo "Cleaning up npm configuration"
+          rm -f ~/.npmrc
+        fi
+      displayName: Remove NPM auth configuration
       condition: always()

.ado/scripts/prepublish-check.mjs

@@ -88,44 +88,90 @@ function loadNxConfig(configFile) {
   return JSON.parse(nx);
 }
 
+/**
+ * Detects whether to use npm or yarn to publish based on .npmrc existence
+ * @returns {boolean} true if npm should be used, false if yarn should be used
+ * @throws {Error} if neither .npmrc nor .yarnrc.yml exists
+ */
+function shouldUseNpm() {
+  const hasNpmrc = fs.existsSync('.npmrc');
+  const hasYarnrc = fs.existsSync('.yarnrc.yml');
+  
+  if (!hasNpmrc && !hasYarnrc) {
+    error('No package manager configuration found. Expected either .npmrc or .yarnrc.yml file.');
+    throw new Error('No package manager configuration found');
+  }
+  
+  if (hasNpmrc && hasYarnrc) {
+    // If both exist, prefer npm (could be changed based on project preference)
+    info('Both .npmrc and .yarnrc.yml found, using npm configuration');
+    return true;
+  }
+  
+  return hasNpmrc;
+}
+
 function verifyNpmAuth(registry = NPM_DEFEAULT_REGISTRY) {
-  const npmErrorRegex = /npm error code (\w+)/;
+  const useNpm = shouldUseNpm();
   const spawnOptions = {
     stdio: /** @type {const} */ ("pipe"),
     shell: true,
     windowsVerbatimArguments: true,
   };
 
-  const whoamiArgs = ["whoami", "--registry", registry];
-  const whoami = spawnSync("npm", whoamiArgs, spawnOptions);
-  if (whoami.status !== 0) {
-    const error = whoami.stderr.toString();
-    const m = error.match(npmErrorRegex);
-    const errorCode = m && m[1];
-    switch (errorCode) {
-      case "EINVALIDNPMTOKEN":
-        throw new Error(`Invalid auth token for npm registry: ${registry}`);
-      case "ENEEDAUTH":
-        throw new Error(`Missing auth token for npm registry: ${registry}`);
-      default:
-        throw new Error(error);
+  if (useNpm) {
+    info("Using npm for authentication (found .npmrc)");
+    const npmErrorRegex = /npm error code (\w+)/;
+    
+    const whoamiArgs = ["whoami", "--registry", registry];
+    const whoami = spawnSync("npm", whoamiArgs, spawnOptions);
+    if (whoami.status !== 0) {
+      const error = whoami.stderr.toString();
+      const m = error.match(npmErrorRegex);
+      const errorCode = m && m[1];
+      switch (errorCode) {
+        case "EINVALIDNPMTOKEN":
+          throw new Error(`Invalid auth token for npm registry: ${registry}`);
+        case "ENEEDAUTH":
+          throw new Error(`Missing auth token for npm registry: ${registry}`);
+        default:
+          throw new Error(error);
+      }
     }
-  }
 
-  const tokenArgs = ["token", "list", "--registry", registry];
-  const token = spawnSync("npm", tokenArgs, spawnOptions);
-  if (token.status !== 0) {
-    const error = token.stderr.toString();
-    const m = error.match(npmErrorRegex);
-    const errorCode = m && m[1];
+    const tokenArgs = ["token", "list", "--registry", registry];
+    const token = spawnSync("npm", tokenArgs, spawnOptions);
+    if (token.status !== 0) {
+      const error = token.stderr.toString();
+      const m = error.match(npmErrorRegex);
+      const errorCode = m && m[1];
+      
+      // E403 means the token doesn't have permission to list tokens, but that's
+      // not required for publishing. Only fail for other error codes.
+      if (errorCode === "E403") {
+        info(`Token verification skipped: token doesn't have permission to list tokens (${errorCode})`);
+      } else {
+        throw new Error(m ? `Auth token for '${registry}' returned error code ${errorCode}` : error);
+      }
+    }
+  } else {
+    info("Using yarn for authentication (no .npmrc found)");
 
-    // E403 means the token doesn't have permission to list tokens, but that's
-    // not required for publishing. Only fail for other error codes.
-    if (errorCode === "E403") {
-      info(`Token verification skipped: token doesn't have permission to list tokens (${errorCode})`);
-    } else {
-      throw new Error(m ? `Auth token for '${registry}' returned error code ${errorCode}` : error);
+    const whoamiArgs = ["npm", "whoami", "--publish"];
+    const whoami = spawnSync("yarn", whoamiArgs, spawnOptions);
+    if (whoami.status !== 0) {
+      const errorOutput =
+        whoami.stderr.toString().trim() ||
+        whoami.stdout.toString().trim() ||
+        'No error message available';
+      
+      // Provide more context about the yarn authentication failure
+      throw new Error(`Yarn authentication failed (exit code ${whoami.status}): ${errorOutput}`);
     }
+
+    // Skip token listing for yarn since it doesn't support npm token commands
+    // The whoami check above is sufficient to verify authentication
+    info("Skipping token list check when using yarn (not required for publishing)");
   }
 }