Skip to content

Launcher npm publish blocked by E403, and the registry version skew means the next release silently skips it #28

Description

The v1.2.4 publish run hit this and still finished green:

npm error code E403
launcher NOT published: the npm token's account is not an owner of the 'synsci' package.

The ownership grant still hasn't happened. npm owner ls synsci lists k-syntheticsciences, syntheticsciences, aayambansal; whichever account NPM_TOKEN belongs to isn't covered for the unscoped package.

There's now a second wrinkle. The launcher was published manually between releases: synsci is at 1.2.5 on the registry while @synsci/openscience latest is 1.2.4. The next patch release computes 1.2.5, and the launcher step in tooling/repo/publish.ts treats "already on the registry" as success and skips:

} else if (stderr.includes("cannot publish over") || stderr.includes("previously published")) {
  console.warn(`launcher ${Script.version} already on the registry, skipping`)
}

So the release-built 1.2.5 launcher will never ship, silently. The launcher is the npx synsci front door and #22 just changed its user-facing behavior, so a stale launcher is user-visible.

To fix:

  1. An owner runs npm owner add <token-account> synsci, or the granular token gets extended to the unscoped package.
  2. Make the failure visible: a ::warning::/::error:: workflow annotation at minimum, better a separate job that shows as failed or skipped instead of an all-green run.
  3. A post-publish check that fails if npm view synsci version doesn't match the released version would have caught both problems.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions