feat: respect project .npmrc without requiring registry-url

When the workflow does not pass `registry-url`, detect the project's
`.npmrc`, scan it for `${VAR}` references, and re-export any referenced
env vars that are set (e.g. `NODE_AUTH_TOKEN`) via `@actions/core`
`exportVariable`. This writes them to `GITHUB_ENV`, so the token is
reliably visible to the `vp install` subprocess and subsequent steps.

Users with a repo-level `.npmrc` (common for GitHub Packages setups) no
longer have to duplicate their registry config in the workflow.

Closes #50

Author: fengmk2

README.md

@@ -94,7 +94,28 @@ steps:
 
 ### With Private Registry (GitHub Packages)
 
-When using `registry-url`, set `run-install: false` and run install manually with the auth token, otherwise the default auto-install will fail for private packages.
+If your repo already has a `.npmrc` that declares the registry, you can just pass
+`NODE_AUTH_TOKEN` via `env` and let the default `vp install` run — no
+`registry-url` needed. The action detects the project `.npmrc`, propagates any
+referenced auth env vars (`${NODE_AUTH_TOKEN}`, `${GITHUB_TOKEN}`, etc.) to
+subsequent steps, and `vp install` picks up the existing registry config.
+
+```yaml
+# .npmrc in the repo:
+#   @myorg:registry=https://npm.pkg.github.com
+#   //npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}
+
+steps:
+  - uses: actions/checkout@v6
+  - uses: voidzero-dev/setup-vp@v1
+    with:
+      node-version: "lts"
+    env:
+      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+```
+
+If the repo does **not** have an `.npmrc`, use `registry-url` to have the action
+generate one at `$RUNNER_TEMP/.npmrc`:
 
 ```yaml
 steps:

dist/index.mjs

@@ -9,6 +9,7 @@ import { State, Outputs } from "./types.js";
 import type { Inputs } from "./types.js";
 import { resolveNodeVersionFile } from "./node-version-file.js";
 import { configAuthentication } from "./auth.js";
+import { propagateProjectNpmrcAuth } from "./npmrc-detect.js";
 import { getConfiguredProjectDir } from "./utils.js";
 
 async function runMain(inputs: Inputs): Promise<void> {
@@ -31,9 +32,14 @@ async function runMain(inputs: Inputs): Promise<void> {
     await exec("vp", ["env", "use", nodeVersion]);
   }
 
-  // Step 4: Configure registry authentication if specified
+  // Step 4: Configure registry authentication
   if (inputs.registryUrl) {
     configAuthentication(inputs.registryUrl, inputs.scope);
+  } else {
+    // No explicit registry-url: respect the project's .npmrc if present.
+    // Propagate referenced auth env vars (e.g. NODE_AUTH_TOKEN) via GITHUB_ENV
+    // so they survive into package-manager subprocesses and later steps.
+    propagateProjectNpmrcAuth(projectDir);
   }
 
   // Step 5: Restore cache if enabled

src/index.ts

@@ -0,0 +1,143 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from "vite-plus/test";
+import { mkdtempSync, mkdirSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { detectProjectNpmrc, propagateProjectNpmrcAuth } from "./npmrc-detect.js";
+import { exportVariable, info } from "@actions/core";
+
+vi.mock("@actions/core", () => ({
+  info: vi.fn(),
+  debug: vi.fn(),
+  exportVariable: vi.fn(),
+}));
+
+describe("detectProjectNpmrc", () => {
+  let workDir: string;
+
+  beforeEach(() => {
+    workDir = mkdtempSync(join(tmpdir(), "setup-vp-npmrc-"));
+  });
+
+  afterEach(() => {
+    rmSync(workDir, { recursive: true, force: true });
+  });
+
+  it("returns undefined when no .npmrc exists", () => {
+    expect(detectProjectNpmrc(workDir)).toBeUndefined();
+  });
+
+  it("returns path and env vars when .npmrc references ${NODE_AUTH_TOKEN}", () => {
+    const npmrcPath = join(workDir, ".npmrc");
+    writeFileSync(
+      npmrcPath,
+      [
+        "@myorg:registry=https://npm.pkg.github.com",
+        "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}",
+      ].join("\n"),
+    );
+
+    const result = detectProjectNpmrc(workDir);
+    expect(result).toEqual({
+      path: npmrcPath,
+      envVars: ["NODE_AUTH_TOKEN"],
+    });
+  });
+
+  it("collects multiple distinct env var references", () => {
+    writeFileSync(
+      join(workDir, ".npmrc"),
+      [
+        "@orgA:registry=https://npm.pkg.github.com",
+        "//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}",
+        "@orgB:registry=https://registry.example.com",
+        "//registry.example.com/:_authToken=${NPM_TOKEN}",
+      ].join("\n"),
+    );
+
+    const result = detectProjectNpmrc(workDir);
+    expect(result?.envVars.sort()).toEqual(["GITHUB_TOKEN", "NPM_TOKEN"]);
+  });
+
+  it("returns empty envVars when .npmrc has no ${...} references", () => {
+    writeFileSync(join(workDir, ".npmrc"), "registry=https://registry.npmjs.org/");
+
+    const result = detectProjectNpmrc(workDir);
+    expect(result?.envVars).toEqual([]);
+  });
+});
+
+describe("propagateProjectNpmrcAuth", () => {
+  let workDir: string;
+
+  beforeEach(() => {
+    workDir = mkdtempSync(join(tmpdir(), "setup-vp-npmrc-"));
+  });
+
+  afterEach(() => {
+    rmSync(workDir, { recursive: true, force: true });
+    vi.unstubAllEnvs();
+    vi.resetAllMocks();
+  });
+
+  it("does nothing when there is no project .npmrc", () => {
+    propagateProjectNpmrcAuth(workDir);
+    expect(exportVariable).not.toHaveBeenCalled();
+  });
+
+  it("exports referenced env vars that are set in the environment", () => {
+    writeFileSync(join(workDir, ".npmrc"), "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}");
+    vi.stubEnv("NODE_AUTH_TOKEN", "my-real-token");
+
+    propagateProjectNpmrcAuth(workDir);
+
+    expect(exportVariable).toHaveBeenCalledWith("NODE_AUTH_TOKEN", "my-real-token");
+    expect(info).toHaveBeenCalledWith(expect.stringContaining(".npmrc"));
+  });
+
+  it("skips env vars that are not set", () => {
+    writeFileSync(join(workDir, ".npmrc"), "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}");
+    vi.stubEnv("NODE_AUTH_TOKEN", "");
+
+    propagateProjectNpmrcAuth(workDir);
+
+    expect(exportVariable).not.toHaveBeenCalled();
+  });
+
+  it("does not re-export PATH or HOME even if referenced", () => {
+    // Reserved/system vars should not be exported to GITHUB_ENV via exportVariable
+    writeFileSync(join(workDir, ".npmrc"), "cache=${HOME}/.npm-cache");
+    vi.stubEnv("HOME", "/home/runner");
+
+    propagateProjectNpmrcAuth(workDir);
+
+    expect(exportVariable).not.toHaveBeenCalledWith("HOME", expect.anything());
+  });
+
+  it("exports all referenced auth-like env vars", () => {
+    writeFileSync(
+      join(workDir, ".npmrc"),
+      [
+        "//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}",
+        "//registry.example.com/:_authToken=${NPM_TOKEN}",
+      ].join("\n"),
+    );
+    vi.stubEnv("GITHUB_TOKEN", "gh-token");
+    vi.stubEnv("NPM_TOKEN", "npm-token");
+
+    propagateProjectNpmrcAuth(workDir);
+
+    expect(exportVariable).toHaveBeenCalledWith("GITHUB_TOKEN", "gh-token");
+    expect(exportVariable).toHaveBeenCalledWith("NPM_TOKEN", "npm-token");
+  });
+
+  it("works when .npmrc is in a nested working directory", () => {
+    const nested = join(workDir, "packages", "app");
+    mkdirSync(nested, { recursive: true });
+    writeFileSync(join(nested, ".npmrc"), "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}");
+    vi.stubEnv("NODE_AUTH_TOKEN", "abc");
+
+    propagateProjectNpmrcAuth(nested);
+
+    expect(exportVariable).toHaveBeenCalledWith("NODE_AUTH_TOKEN", "abc");
+  });
+});

src/npmrc-detect.test.ts

@@ -0,0 +1,77 @@
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { exportVariable, info, debug } from "@actions/core";
+
+export interface ProjectNpmrc {
+  path: string;
+  envVars: string[];
+}
+
+// Env vars that should never be re-exported via GITHUB_ENV (system/runner-managed)
+const RESERVED_ENV_VARS = new Set([
+  "PATH",
+  "HOME",
+  "USERPROFILE",
+  "TMPDIR",
+  "RUNNER_TEMP",
+  "RUNNER_OS",
+  "RUNNER_ARCH",
+  "GITHUB_ACTIONS",
+  "GITHUB_WORKSPACE",
+  "GITHUB_REPOSITORY",
+  "GITHUB_REPOSITORY_OWNER",
+  "CI",
+]);
+
+/**
+ * Detect a project-level `.npmrc` at the given directory and collect any
+ * `${VAR}` env var references inside it.
+ */
+export function detectProjectNpmrc(projectDir: string): ProjectNpmrc | undefined {
+  const npmrcPath = join(projectDir, ".npmrc");
+  if (!existsSync(npmrcPath)) return undefined;
+
+  const content = readFileSync(npmrcPath, "utf8");
+  const seen = new Set<string>();
+  const envVars: string[] = [];
+  for (const match of content.matchAll(/\$\{(\w+)\}/g)) {
+    const name = match[1];
+    if (name && !seen.has(name)) {
+      seen.add(name);
+      envVars.push(name);
+    }
+  }
+
+  return { path: npmrcPath, envVars };
+}
+
+/**
+ * When the project has an `.npmrc` referencing env vars (commonly
+ * `${NODE_AUTH_TOKEN}` for private registries), re-export the ones that are
+ * already set so they persist via `GITHUB_ENV` and remain reliably visible to
+ * package-manager subprocesses spawned by `vp install` and to subsequent
+ * workflow steps.
+ *
+ * This lets users rely on their existing `.npmrc` without having to also pass
+ * `registry-url` to `setup-vp` just to get auth forwarding.
+ */
+export function propagateProjectNpmrcAuth(projectDir: string): void {
+  const npmrc = detectProjectNpmrc(projectDir);
+  if (!npmrc) return;
+
+  const propagatable = npmrc.envVars.filter(
+    (name) => !RESERVED_ENV_VARS.has(name) && !!process.env[name],
+  );
+
+  if (propagatable.length === 0) {
+    debug(`Project .npmrc at ${npmrc.path}: no auth env vars to propagate`);
+    return;
+  }
+
+  info(
+    `Detected project .npmrc at ${npmrc.path}. Propagating auth env vars: ${propagatable.join(", ")}`,
+  );
+  for (const name of propagatable) {
+    exportVariable(name, process.env[name]!);
+  }
+}