The v1.2.4 publish run hit this and still finished green:
npm error code E403
launcher NOT published: the npm token's account is not an owner of the 'synsci' package.
The ownership grant still hasn't happened. npm owner ls synsci lists k-syntheticsciences, syntheticsciences, aayambansal; whichever account NPM_TOKEN belongs to isn't covered for the unscoped package.
There's now a second wrinkle. The launcher was published manually between releases: synsci is at 1.2.5 on the registry while @synsci/openscience latest is 1.2.4. The next patch release computes 1.2.5, and the launcher step in tooling/repo/publish.ts treats "already on the registry" as success and skips:
} else if (stderr.includes("cannot publish over") || stderr.includes("previously published")) {
console.warn(`launcher ${Script.version} already on the registry, skipping`)
}
So the release-built 1.2.5 launcher will never ship, silently. The launcher is the npx synsci front door and #22 just changed its user-facing behavior, so a stale launcher is user-visible.
To fix:
- An owner runs
npm owner add <token-account> synsci, or the granular token gets extended to the unscoped package.
- Make the failure visible: a
::warning::/::error:: workflow annotation at minimum, better a separate job that shows as failed or skipped instead of an all-green run.
- A post-publish check that fails if
npm view synsci version doesn't match the released version would have caught both problems.
The v1.2.4 publish run hit this and still finished green:
The ownership grant still hasn't happened.
npm owner ls synscilists k-syntheticsciences, syntheticsciences, aayambansal; whichever account NPM_TOKEN belongs to isn't covered for the unscoped package.There's now a second wrinkle. The launcher was published manually between releases:
synsciis at 1.2.5 on the registry while@synsci/opensciencelatest is 1.2.4. The next patch release computes 1.2.5, and the launcher step intooling/repo/publish.tstreats "already on the registry" as success and skips:So the release-built 1.2.5 launcher will never ship, silently. The launcher is the
npx synscifront door and #22 just changed its user-facing behavior, so a stale launcher is user-visible.To fix:
npm owner add <token-account> synsci, or the granular token gets extended to the unscoped package.::warning::/::error::workflow annotation at minimum, better a separate job that shows as failed or skipped instead of an all-green run.npm view synsci versiondoesn't match the released version would have caught both problems.