Skip to content

feat(global): INFRA-1507 add local npm registry #7496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Gladioluss wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(global): INFRA-1507 add local npm registry #7496

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e4410d1
feat(global): INFRA-1507 add local npm registry
Apr 20, 2026
dbf2fa5
feat(global): INFRA-1507 update local npm registry secrets
Apr 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/nodejs.condo.ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ env:
DOCKER_IMAGE: condo/condo-image:${{ github.event.pull_request.head.sha || github.sha }}
DOCKER_IMAGE_FULL: ${{ secrets.DOCKER_REGISTRY }}/condo/condo-image:${{ github.event.pull_request.head.sha || github.sha }}
CONDO_TEST_SHARD_TOTAL: 20
NPM_REGISTRY_SERVER: ${{ secrets.NPM_REGISTRY_SERVER }}
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "nodejs.condo.ci.yml" -o -name "Dockerfile" -o -name ".yarnrc.yml" | head -20

Repository: open-condo-software/condo

Length of output: 135

🏁 Script executed:

cat -n .github/workflows/nodejs.condo.ci.yml | head -120

Repository: open-condo-software/condo

Length of output: 5113

🏁 Script executed:

find . -name "Dockerfile" | head -10

Repository: open-condo-software/condo

Length of output: 81

🏁 Script executed:

find . -name ".yarnrc.yml" | head -10

Repository: open-condo-software/condo

Length of output: 82

🏁 Script executed:

cat -n Dockerfile | grep -A 5 -B 5 "NPM_REGISTRY_SERVER"

Repository: open-condo-software/condo

Length of output: 833

🏁 Script executed:

cat -n .yarnrc.yml

Repository: open-condo-software/condo

Length of output: 1014

NPM_REGISTRY_SERVER from undefined secret will override Dockerfile default with empty string, breaking yarn install in external PRs.

If secrets.NPM_REGISTRY_SERVER is not defined (common in external forks), the workflow-level env: at line 26 resolves to empty. The build-image job lacks an environment: declaration, so it reads repository-scoped secrets instead of environment-scoped ones. This results in env.NPM_REGISTRY_SERVER being empty, which line 97 passes as a build-arg NPM_REGISTRY_SERVER= — an empty string that overrides the Dockerfile's ARG NPM_REGISTRY_SERVER=https://registry.npmjs.org default.

The Dockerfile ENV then becomes empty, and .yarnrc.yml line 25 (npmRegistryServer: "${NPM_REGISTRY_SERVER:-https://registry.npmjs.org}") treats the empty string as a set variable, not unset, so the :- fallback does not apply. Yarn ends up with a blank registry and yarn install fails.

Fix:

  • Only set the build-arg when secrets.NPM_REGISTRY_SERVER is non-empty: NPM_REGISTRY_SERVER: ${{ secrets.NPM_REGISTRY_SERVER || 'https://registry.npmjs.org' }} at line 26, or
  • Omit the build-arg entirely and rely on the Dockerfile default, or
  • Update .yarnrc.yml to use :+ (only if set and non-empty) or leave the variable unset in the Dockerfile when empty.

Also verify that NPM_REGISTRY_SERVER and NPM_REGISTRY_AUTH_TOKEN secrets exist at repository scope or in an 'external' environment, so external PR builds access them correctly.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/nodejs.condo.ci.yml at line 26, The workflow sets
NPM_REGISTRY_SERVER from secrets unconditionally which can become empty for
external forks and override the Dockerfile ARG; update the workflow so the
build-arg is only provided when non-empty (e.g., use a fallback or conditional
so NPM_REGISTRY_SERVER is not passed as an empty value), or remove the build-arg
entirely and rely on the Dockerfile ARG NPM_REGISTRY_SERVER default;
alternatively adjust .yarnrc.yml's npmRegistryServer handling to not treat an
empty variable as set (use a conditional that only applies the value when
non-empty) — change references around the workflow env NPM_REGISTRY_SERVER, the
build-image job build-arg usage, the Dockerfile ARG NPM_REGISTRY_SERVER, and
.yarnrc.yml npmRegistryServer accordingly.

PG_IMAGE_FULL: ${{ secrets.DOCKER_REGISTRY }}/doma/utils/postgres:16.8
REDIS_IMAGE_FULL: ${{ secrets.DOCKER_REGISTRY }}/doma/utils/redis:6.2
REF: ${{ github.event.pull_request.head.sha || github.ref }}
Expand Down Expand Up @@ -93,10 +94,13 @@ jobs:
tags: ${{ env.DOCKER_IMAGE_FULL }}
build-args: |
REGISTRY=${{ secrets.DOCKER_REGISTRY }}/doma/utils
NPM_REGISTRY_SERVER=${{ env.NPM_REGISTRY_SERVER }}
TURBO_TEAM=condo-ci
TURBO_REMOTE_ONLY=true
TURBO_TOKEN=${{ secrets.TURBO_TOKEN }}
TURBO_API=${{ secrets.TURBO_API }}
secrets: |
npm_registry_auth_token=${{ secrets.NPM_REGISTRY_AUTH_TOKEN }}
provenance: false
cache-from: ${{ env.DOCKER_CACHE_FROM }}
cache-to: ${{ env.DOCKER_CACHE_TO }}
Expand Down
6 changes: 6 additions & 0 deletions .yarnrc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,10 @@ packageExtensions:
dependencies:
"graphql": "^15.6.1"

npmRegistryServer: "${NPM_REGISTRY_SERVER:-https://registry.npmjs.org}"

npmAuthToken: "${NPM_REGISTRY_AUTH_TOKEN:-}"

httpTimeout: 3000
httpRetry: 3
networkConcurrency: 8
9 changes: 8 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,20 @@ RUN set -ex \
# Installer
FROM base AS installer

ARG NPM_REGISTRY_SERVER=https://registry.npmjs.org

WORKDIR /app
# Copy pruned monorepo (only package.json + yarn.lock)
COPY --chown=app:app ./out /app
# Copy yarn berry
COPY --chown=app:app ./.yarn /app/.yarn
COPY --chown=app:app ./.yarnrc.yml /app/.yarnrc.yml
RUN --mount=type=cache,target=/usr/local/share/.cache/yarn \

ENV NPM_REGISTRY_SERVER=$NPM_REGISTRY_SERVER

RUN --mount=type=secret,id=npm_registry_auth_token \
--mount=type=cache,target=/usr/local/share/.cache/yarn \
export NPM_REGISTRY_AUTH_TOKEN="$(cat /run/secrets/npm_registry_auth_token 2>/dev/null || true)" && \
yarn install --immutable --inline-builds

# Builder
Expand Down
Loading