refactor: fold npmrc-detect into auth module

Review-driven simplification:
- Merge propagateProjectNpmrcAuth into src/auth.ts since both the
  registry-url write path and the .npmrc read path are concerned with
  the same thing: .npmrc + auth env export
- Replace existsSync + readFileSync TOCTOU with try/catch on ENOENT
- Dedupe referenced env vars with a single Set instead of Set + array
- Drop detectProjectNpmrc / ProjectNpmrc from the public surface;
  test only the observable behavior of propagateProjectNpmrcAuth
- Remove narrative comment in index.ts — the function name carries it

Author: fengmk2

dist/index.mjs

@@ -1,11 +1,12 @@
 import { describe, it, expect, beforeEach, afterEach, vi } from "vite-plus/test";
-import { join } from "node:path";
 import { existsSync, readFileSync, writeFileSync } from "node:fs";
-import { configAuthentication } from "./auth.js";
-import { exportVariable } from "@actions/core";
+import { join } from "node:path";
+import { configAuthentication, propagateProjectNpmrcAuth } from "./auth.js";
+import { exportVariable, info } from "@actions/core";
 
 vi.mock("@actions/core", () => ({
   debug: vi.fn(),
+  info: vi.fn(),
   exportVariable: vi.fn(),
 }));
 
@@ -177,3 +178,91 @@ describe("configAuthentication", () => {
     expect(exportVariable).toHaveBeenCalledWith("NODE_AUTH_TOKEN", "my-real-token");
   });
 });
+
+describe("propagateProjectNpmrcAuth", () => {
+  const projectDir = "/workspace/project";
+  const npmrcPath = join(projectDir, ".npmrc");
+
+  function mockNpmrc(content: string): void {
+    vi.mocked(readFileSync).mockImplementation((p) => {
+      if (p === npmrcPath) return content;
+      const err = Object.assign(new Error("ENOENT"), { code: "ENOENT" });
+      throw err;
+    });
+  }
+
+  function mockNoNpmrc(): void {
+    vi.mocked(readFileSync).mockImplementation(() => {
+      const err = Object.assign(new Error("ENOENT"), { code: "ENOENT" });
+      throw err;
+    });
+  }
+
+  afterEach(() => {
+    vi.unstubAllEnvs();
+    vi.resetAllMocks();
+  });
+
+  it("does nothing when there is no project .npmrc", () => {
+    mockNoNpmrc();
+
+    propagateProjectNpmrcAuth(projectDir);
+
+    expect(exportVariable).not.toHaveBeenCalled();
+  });
+
+  it("exports referenced env vars that are set in the environment", () => {
+    mockNpmrc("//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}");
+    vi.stubEnv("NODE_AUTH_TOKEN", "my-real-token");
+
+    propagateProjectNpmrcAuth(projectDir);
+
+    expect(exportVariable).toHaveBeenCalledWith("NODE_AUTH_TOKEN", "my-real-token");
+    expect(info).toHaveBeenCalledWith(expect.stringContaining(".npmrc"));
+  });
+
+  it("skips env vars that are not set", () => {
+    mockNpmrc("//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}");
+    vi.stubEnv("NODE_AUTH_TOKEN", "");
+
+    propagateProjectNpmrcAuth(projectDir);
+
+    expect(exportVariable).not.toHaveBeenCalled();
+  });
+
+  it("does not re-export PATH or HOME even if referenced", () => {
+    mockNpmrc("cache=${HOME}/.npm-cache");
+    vi.stubEnv("HOME", "/home/runner");
+
+    propagateProjectNpmrcAuth(projectDir);
+
+    expect(exportVariable).not.toHaveBeenCalledWith("HOME", expect.anything());
+  });
+
+  it("exports all referenced auth-like env vars, deduping repeats", () => {
+    mockNpmrc(
+      [
+        "//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}",
+        "//registry.example.com/:_authToken=${NPM_TOKEN}",
+        "//other.example.com/:_authToken=${GITHUB_TOKEN}",
+      ].join("\n"),
+    );
+    vi.stubEnv("GITHUB_TOKEN", "gh-token");
+    vi.stubEnv("NPM_TOKEN", "npm-token");
+
+    propagateProjectNpmrcAuth(projectDir);
+
+    expect(exportVariable).toHaveBeenCalledWith("GITHUB_TOKEN", "gh-token");
+    expect(exportVariable).toHaveBeenCalledWith("NPM_TOKEN", "npm-token");
+    const ghCalls = vi.mocked(exportVariable).mock.calls.filter((c) => c[0] === "GITHUB_TOKEN");
+    expect(ghCalls).toHaveLength(1);
+  });
+
+  it("rethrows non-ENOENT read errors", () => {
+    vi.mocked(readFileSync).mockImplementation(() => {
+      throw Object.assign(new Error("EACCES"), { code: "EACCES" });
+    });
+
+    expect(() => propagateProjectNpmrcAuth(projectDir)).toThrow("EACCES");
+  });
+});

src/auth.test.ts

@@ -1,7 +1,7 @@
 import { existsSync, readFileSync, writeFileSync } from "node:fs";
 import { EOL } from "node:os";
-import { resolve } from "node:path";
-import { debug, exportVariable } from "@actions/core";
+import { join, resolve } from "node:path";
+import { debug, exportVariable, info } from "@actions/core";
 
 /**
  * Configure npm registry authentication by writing a .npmrc file.
@@ -65,3 +65,58 @@ function writeRegistryToFile(registryUrl: string, fileLocation: string, scope?:
   // Export placeholder if NODE_AUTH_TOKEN is not set so npm doesn't error
   exportVariable("NODE_AUTH_TOKEN", process.env.NODE_AUTH_TOKEN || "XXXXX-XXXXX-XXXXX-XXXXX");
 }
+
+// Env vars the runner/system manages — never re-export via GITHUB_ENV
+const RESERVED_ENV_VARS = new Set([
+  "PATH",
+  "HOME",
+  "USERPROFILE",
+  "TMPDIR",
+  "RUNNER_TEMP",
+  "RUNNER_OS",
+  "RUNNER_ARCH",
+  "GITHUB_ACTIONS",
+  "GITHUB_WORKSPACE",
+  "GITHUB_REPOSITORY",
+  "GITHUB_REPOSITORY_OWNER",
+  "CI",
+]);
+
+/**
+ * When the project has an `.npmrc` referencing env vars (commonly
+ * `${NODE_AUTH_TOKEN}` for private registries), re-export the ones that are
+ * already set so they persist via `GITHUB_ENV` and remain visible to the
+ * package-manager subprocess spawned by `vp install` and to subsequent steps.
+ * Lets users rely on their existing `.npmrc` without also passing `registry-url`.
+ */
+export function propagateProjectNpmrcAuth(projectDir: string): void {
+  const npmrcPath = join(projectDir, ".npmrc");
+  let content: string;
+  try {
+    content = readFileSync(npmrcPath, "utf8");
+  } catch (err) {
+    if ((err as NodeJS.ErrnoException).code === "ENOENT") return;
+    throw err;
+  }
+
+  const referenced = new Set<string>();
+  for (const match of content.matchAll(/\$\{(\w+)\}/g)) {
+    referenced.add(match[1]!);
+  }
+
+  const propagatable = [...referenced].filter(
+    (name) => !RESERVED_ENV_VARS.has(name) && !!process.env[name],
+  );
+
+  if (propagatable.length === 0) {
+    debug(`Project .npmrc at ${npmrcPath}: no auth env vars to propagate`);
+    return;
+  }
+
+  info(
+    `Detected project .npmrc at ${npmrcPath}. Propagating auth env vars: ${propagatable.join(", ")}`,
+  );
+  for (const name of propagatable) {
+    exportVariable(name, process.env[name]!);
+  }
+}

src/auth.ts

@@ -8,8 +8,7 @@ import { saveCache } from "./cache-save.js";
 import { State, Outputs } from "./types.js";
 import type { Inputs } from "./types.js";
 import { resolveNodeVersionFile } from "./node-version-file.js";
-import { configAuthentication } from "./auth.js";
-import { propagateProjectNpmrcAuth } from "./npmrc-detect.js";
+import { configAuthentication, propagateProjectNpmrcAuth } from "./auth.js";
 import { getConfiguredProjectDir } from "./utils.js";
 
 async function runMain(inputs: Inputs): Promise<void> {
@@ -36,9 +35,6 @@ async function runMain(inputs: Inputs): Promise<void> {
   if (inputs.registryUrl) {
     configAuthentication(inputs.registryUrl, inputs.scope);
   } else {
-    // No explicit registry-url: respect the project's .npmrc if present.
-    // Propagate referenced auth env vars (e.g. NODE_AUTH_TOKEN) via GITHUB_ENV
-    // so they survive into package-manager subprocesses and later steps.
     propagateProjectNpmrcAuth(projectDir);
   }