Skip to content

Commit 55d26af

Browse files
wcandillonwcandillon
authored
Merge branch 'main' into wcandillon-patch-272814
2 parents 6cde253 + cdebc23 commit 55d26af

File tree

2 files changed

+230
-0
lines changed

2 files changed

+230
-0
lines changed

.github/workflows/build-npm.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,12 @@ jobs:
2020
with:
2121
submodules: recursive
2222

23+
- name: Setup Node.js with npm registry
24+
uses: actions/setup-node@v4
25+
with:
26+
node-version: '20'
27+
registry-url: 'https://registry.npmjs.org'
28+
2329
- name: Setup
2430
uses: ./.github/actions/setup
2531
with:

.github/workflows/npm-debug-workflow.yml

Lines changed: 224 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,224 @@
1+
name: Debug npm OIDC Authentication
2+
3+
on:
4+
workflow_dispatch: # Manual trigger only
5+
6+
jobs:
7+
debug-npm-auth:
8+
runs-on: ubuntu-latest
9+
permissions:
10+
contents: read
11+
id-token: write # Required for OIDC
12+
13+
steps:
14+
- name: Checkout repository
15+
uses: actions/checkout@v4
16+
17+
- name: Setup Node.js with npm registry
18+
uses: actions/setup-node@v4
19+
with:
20+
node-version: '20'
21+
registry-url: 'https://registry.npmjs.org'
22+
23+
- name: Debug - Check environment
24+
run: |
25+
echo "=== Node and npm versions ==="
26+
node --version
27+
npm --version
28+
29+
echo ""
30+
echo "=== npm config ==="
31+
npm config list
32+
33+
echo ""
34+
echo "=== Registry configuration ==="
35+
npm config get registry
36+
37+
echo ""
38+
echo "=== .npmrc contents (redacted) ==="
39+
if [ -f ~/.npmrc ]; then
40+
# Show structure but redact actual tokens
41+
sed 's/=.*/=<REDACTED>/' ~/.npmrc
42+
else
43+
echo "No ~/.npmrc found"
44+
fi
45+
46+
if [ -f .npmrc ]; then
47+
echo ""
48+
echo "=== Project .npmrc (redacted) ==="
49+
sed 's/=.*/=<REDACTED>/' .npmrc
50+
fi
51+
52+
- name: Debug - Check OIDC token availability
53+
id: oidc-check
54+
continue-on-error: true
55+
run: |
56+
echo "=== OIDC Token Check ==="
57+
OIDC_OK=true
58+
if [ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]; then
59+
echo "✅ OIDC token request URL is set"
60+
echo "URL prefix: ${ACTIONS_ID_TOKEN_REQUEST_URL:0:50}..."
61+
else
62+
echo "❌ OIDC token request URL is NOT set"
63+
echo "Make sure 'id-token: write' permission is configured"
64+
OIDC_OK=false
65+
fi
66+
67+
if [ -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then
68+
echo "✅ OIDC token request token is available"
69+
else
70+
echo "❌ OIDC token request token is NOT available"
71+
OIDC_OK=false
72+
fi
73+
74+
if [ "$OIDC_OK" = "false" ]; then
75+
exit 1
76+
fi
77+
78+
- name: Debug - Test npm authentication
79+
id: npm-auth
80+
continue-on-error: true
81+
run: |
82+
echo "=== Testing npm whoami ==="
83+
if npm whoami 2>&1; then
84+
echo "✅ Successfully authenticated with npm"
85+
else
86+
echo "❌ npm whoami failed - not authenticated"
87+
exit 1
88+
fi
89+
90+
- name: Debug - Check package info
91+
run: |
92+
echo "=== Package.json info ==="
93+
if [ -f package.json ]; then
94+
echo "Package name: $(jq -r '.name' package.json)"
95+
echo "Package version: $(jq -r '.version' package.json)"
96+
echo "Repository: $(jq -r '.repository.url // .repository // "not set"' package.json)"
97+
else
98+
echo "No package.json found in root"
99+
fi
100+
101+
- name: Debug - Check access to @shopify scope
102+
run: |
103+
echo "=== Checking @shopify scope access ==="
104+
105+
echo ""
106+
echo "Packages you can access in @shopify scope:"
107+
npm access list packages @shopify 2>&1 || echo "Could not list packages (may need org membership)"
108+
109+
echo ""
110+
echo "=== Checking specific package access ==="
111+
npm access list collaborators @shopify/react-native-skia 2>&1 || echo "Could not list collaborators"
112+
113+
- name: Debug - Check npm org membership
114+
run: |
115+
echo "=== Organization membership check ==="
116+
npm org ls shopify 2>&1 || echo "Could not list org members (may not have permission)"
117+
118+
- name: Setup
119+
uses: ./.github/actions/setup
120+
with:
121+
github_token: ${{ secrets.GITHUB_TOKEN }}
122+
123+
- name: Debug - Dry run publish test
124+
id: dry-run
125+
continue-on-error: true
126+
run: |
127+
echo "=== Attempting dry-run publish ==="
128+
echo "This will NOT actually publish, just test if it would work"
129+
130+
# Build the project using yarn (this is a yarn monorepo)
131+
echo "Running build first..."
132+
if ! yarn build; then
133+
echo "❌ Build step failed"
134+
exit 1
135+
fi
136+
137+
# Try dry-run publish from the skia package
138+
cd packages/skia
139+
if ! npm publish --dry-run --provenance --access public 2>&1; then
140+
echo "❌ Dry-run publish failed"
141+
exit 1
142+
fi
143+
echo "✅ Dry-run publish succeeded"
144+
145+
- name: Debug - Check provenance requirements
146+
run: |
147+
echo "=== Provenance publishing requirements ==="
148+
echo ""
149+
echo "For provenance publishing to work, you need:"
150+
echo "1. ✅ id-token: write permission (set in this workflow)"
151+
echo "2. Package must be linked to this GitHub repo on npmjs.com"
152+
echo "3. Publishing from a GitHub Actions workflow"
153+
echo ""
154+
echo "Current repository: $GITHUB_REPOSITORY"
155+
echo "Current ref: $GITHUB_REF"
156+
echo "Current SHA: $GITHUB_SHA"
157+
echo ""
158+
echo "Check https://www.npmjs.com/package/@shopify/react-native-skia/access"
159+
echo "to verify this repo is configured for publishing"
160+
161+
- name: Summary
162+
run: |
163+
echo ""
164+
echo "========================================"
165+
echo " DEBUG SUMMARY"
166+
echo "========================================"
167+
echo ""
168+
echo "If you see authentication failures above, check:"
169+
echo ""
170+
echo "1. Is this repo configured in npm package settings?"
171+
echo " → Go to npmjs.com → @shopify/react-native-skia → Settings → Publishing access"
172+
echo " → Verify '$GITHUB_REPOSITORY' is listed"
173+
echo ""
174+
echo "2. Do you have the right npm org permissions?"
175+
echo " → You need publish access to the @shopify scope"
176+
echo ""
177+
echo "3. Is the workflow running from the right branch/context?"
178+
echo " → Some orgs restrict publishing to specific branches"
179+
echo ""
180+
echo "4. Check npm's provenance documentation:"
181+
echo " → https://docs.npmjs.com/generating-provenance-statements"
182+
echo ""
183+
184+
- name: Final validation
185+
run: |
186+
echo ""
187+
echo "========================================"
188+
echo " VALIDATION RESULTS"
189+
echo "========================================"
190+
echo ""
191+
FAILED=false
192+
193+
if [ "${{ steps.oidc-check.outcome }}" = "failure" ]; then
194+
echo "❌ OIDC token check: FAILED"
195+
FAILED=true
196+
else
197+
echo "✅ OIDC token check: PASSED"
198+
fi
199+
200+
if [ "${{ steps.npm-auth.outcome }}" = "failure" ]; then
201+
echo "❌ npm authentication: FAILED"
202+
FAILED=true
203+
else
204+
echo "✅ npm authentication: PASSED"
205+
fi
206+
207+
if [ "${{ steps.dry-run.outcome }}" = "failure" ]; then
208+
echo "❌ Dry-run publish: FAILED"
209+
FAILED=true
210+
else
211+
echo "✅ Dry-run publish: PASSED"
212+
fi
213+
214+
echo ""
215+
if [ "$FAILED" = "true" ]; then
216+
echo "========================================"
217+
echo " ❌ OVERALL: SOME CHECKS FAILED"
218+
echo "========================================"
219+
exit 1
220+
else
221+
echo "========================================"
222+
echo " ✅ OVERALL: ALL CHECKS PASSED"
223+
echo "========================================"
224+
fi

0 commit comments

Comments
 (0)