Skip to content

fix: remove NPM_CONFIG_PROVENANCE and set explicit NODE_AUTH_TOKEN in Release workflow#177

Draft
sandornagy517 with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-failing-github-actions-job
Draft

fix: remove NPM_CONFIG_PROVENANCE and set explicit NODE_AUTH_TOKEN in Release workflow#177
sandornagy517 with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-failing-github-actions-job

Conversation

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown

Description

The Release CI job began failing with HTTP 404 on all npm publish PUT requests after GitHub Actions silently switched to Node.js 24 as the runner default on June 2, 2026. The workflow YAML was identical between the last successful run (May 15) and the failing run (July 3).

Two root causes identified:

  • NPM_CONFIG_PROVENANCE: true triggers npm's OIDC-based attestation flow during publish. The npm registry's attestation endpoint (/_/api/v1/attestations/{pkg}/{version}) began returning 404, blocking all publishes. Provenance was already identified as problematic in a prior fix attempt (commit "Fix release script to remove provenance flag").

  • NODE_AUTH_TOKEN set to GITHUB_TOKEN by actions/setup-node@v4 (a side effect of specifying registry-url). The .npmrc at NPM_CONFIG_USERCONFIG uses _authToken=${NODE_AUTH_TOKEN}, so any subprocess reading it authenticates with the GitHub token instead of the npm token — npm returns 404 (not 401) as a security measure.

Changes to .github/workflows/on_push_to_main.yml:

  • Removed NPM_CONFIG_PROVENANCE: true from the "Publish to NPMJS" step env — eliminates the attestation API call entirely
  • Added NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} — overrides the GITHUB_TOKEN set by setup-node@v4 so both Yarn's own auth config and the .npmrc fallback use the correct npm token
       - name: Publish to NPMJS
         ...
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_CONFIG_PROVENANCE: true
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Issue number: N/A (CI infrastructure fix)

Affected plugin

  • backstage-plugin
  • backstage-plugin-backend
  • backstage-plugin-scaffolder-actions
  • backstage-plugin-entity-processor

Type of change

  • New feature (non-breaking change which adds functionality)
  • Fix (non-breaking change which fixes an issue)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

  • I have performed a self-review of this change
  • Changes have been tested
  • Changes have been tested in dark theme
  • Changes are documented
  • Changes generate no new warnings
  • PR title follows conventional commit semantics

If this is a breaking change 👇

  • I have documented the migration process
  • I have implemented necessary warnings (if it can live side by side)

Acknowledgement

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Disclaimer: We value your time and bandwidth. As such, any pull requests created on non-triaged issues might not be successful.

Copilot AI changed the title [WIP] Fix failing GitHub Actions job Release fix: remove NPM_CONFIG_PROVENANCE and set explicit NODE_AUTH_TOKEN in Release workflow Jul 3, 2026
Copilot AI requested a review from sandornagy517 July 3, 2026 09:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants