Skip to content

fix(publish): pin yarn publish to registry.npmjs.org#41

Merged
sigmachirality merged 1 commit into
mainfrom
indent-2026-05-15-publish-registry-fix
May 18, 2026
Merged

fix(publish): pin yarn publish to registry.npmjs.org#41
sigmachirality merged 1 commit into
mainfrom
indent-2026-05-15-publish-registry-fix

Conversation

@sigmachirality
Copy link
Copy Markdown
Member

@sigmachirality sigmachirality commented May 18, 2026

Context

yarn publish in bin/publish-npm was hitting https://registry.yarnpkg.com — yarn 1.x's default registry, which is a read-only npm mirror — instead of https://registry.npmjs.org. The auth token configured on line 5 (npm config set '//registry.npmjs.org/:_authToken' "$NPM_TOKEN") only scopes auth for registry.npmjs.org, so the publish PUT against yarnpkg.com fell through to an unauthenticated 404:

[3/4] Publishing...
error Couldn't publish package: "https://registry.yarnpkg.com/@sfcompute%2fnodes-sdk-alpha: Not found"

This silently broke the last two releases — both v0.1.0-alpha.28 and v0.1.0-alpha.29 failed identically and never made it to npm. npm view @sfcompute/nodes-sdk-alpha version still returns 0.1.0-alpha.27, and downstream consumers (sfcompute/cli) cannot bump until this is fixed.

The last successful publish was 0.1.0-alpha.27 on 2025-12-06, so something between then and now started pushing yarn toward the default registry — likely a runner image change or a tooling update — but the explicit --registry flag makes the publish robust to that drift.

Description of changes

Adds --registry https://registry.npmjs.org to the yarn publish invocation in bin/publish-npm, with a short comment explaining why it's required.

Testing

The publish-npm script only runs in CI on a release tag, so I can't dry-run it locally. After this PR lands:

  1. Re-run the Publish NPM workflow against the v0.1.0-alpha.29 tag (Actions → Publish NPM → Run workflow, or re-run the failed run for that release).
  2. Confirm with npm view @sfcompute/nodes-sdk-alpha version once the run succeeds.
  3. Repeat for v0.1.0-alpha.28 if you want both versions on npm.

Review Callouts

  1. Problem: Release workflow silently fails on publish because yarn is pointing at the wrong registry; recent releases never reach npm consumers.
  2. API/CLI/Frontend impact: None at runtime. CI only.
  3. Observability: None changes.
  4. Unhappy path: If the npm token is also invalid, the publish will still fail — but now with a clear auth error from npmjs.org instead of a confusing 404 from yarnpkg.com.

Open in Indent Slack Thread
Tag @indent to continue the conversation here.

@sigmachirality @indent
fix(publish): pin yarn publish to registry.npmjs.org
6d2a7a6 
yarn 1.x defaults to https://registry.yarnpkg.com, which is a read-only
npm mirror. The auth token configured at the top of the script targets
registry.npmjs.org, so the publish PUT request was failing with
"Not found" against yarnpkg.com. Recent runs for v0.1.0-alpha.28 and
v0.1.0-alpha.29 both failed for this reason and never made it to npm
(npm latest is stuck at 0.1.0-alpha.27).

Passing --registry https://registry.npmjs.org explicitly forces yarn to
hit the same endpoint the token is scoped to.

After this lands, re-run the Publish NPM workflow against the
v0.1.0-alpha.29 tag to actually publish the release.

Generated with [Indent](https://indent.com)
Co-Authored-By: Indent <noreply@indent.com>
@semanticdiff-com
Copy link
Copy Markdown

semanticdiff-com Bot commented May 18, 2026

Review changes with  SemanticDiff

@indent
Copy link
Copy Markdown

indent Bot commented May 18, 2026
edited
Loading

PR Summary

Pins yarn publish in bin/publish-npm to https://registry.npmjs.org so it targets the same registry the NPM_TOKEN is scoped to, unbreaking the Publish NPM workflow which has been silently failing for v0.1.0-alpha.28 and v0.1.0-alpha.29 (npm latest is stuck at alpha.27). Without this, yarn 1.x's default registry.yarnpkg.com was receiving the PUT unauthenticated and returning "Not found".

  • bin/publish-npm: append --registry https://registry.npmjs.org to the final yarn publish --tag "$TAG" invocation.
  • bin/publish-npm: add an inline comment block above the publish command explaining the registry/token mismatch and citing the failed releases, to prevent the flag from being removed later.

Issues

No issues found.

CI Checks

All CI checks passed on 6d2a7a6.

@sigmachirality sigmachirality added the indent label May 18, 2026 — with indent
@sigmachirality sigmachirality merged commit 36e044e into main May 18, 2026
11 checks passed
@stainless-app stainless-app Bot mentioned this pull request May 18, 2026
Merged
@sigmachirality sigmachirality mentioned this pull request May 18, 2026
Merged
sigmachirality added a commit that referenced this pull request May 18, 2026
@sigmachirality @indent
fix: use npm publish so the auth token actually gets used (#43)
1495892 
#41 fixed yarn's default registry but the v0.1.0-alpha.29 publish run
still failed:

  + yarn publish --tag latest --registry https://registry.npmjs.org
  error Couldn't publish package: "https://registry.npmjs.org/@sfcompute%2fnodes-sdk-alpha: Not found"

`yarn publish` is not picking up the `_authToken` entry that the script
writes via `npm config set` at the top — the PUT request goes out
unauthenticated and npm responds with 404. `npm publish` reads the same
~/.npmrc that `npm config set` wrote to, so it actually authenticates.

publishConfig.access is already "public" in package.json so no flag is
required.

Generated with [Indent](https://indent.com)

Co-authored-by: Indent <noreply@indent.com>
@sigmachirality sigmachirality mentioned this pull request May 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

indent

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sigmachirality