From 674fe0e03286ac4ad925beda9a7ac10aaef1c11a Mon Sep 17 00:00:00 2001
From: Tushar Pandey <tushar.pandey@okta.com>
Date: Mon, 4 Aug 2025 12:42:33 +0530
Subject: [PATCH 1/3] chore: update relase workflows

---
 .github/actions/npm-publish/action.yml | 48 ++++++++++++++++++++++++--
 .github/workflows/npm-release.yml      |  3 ++
 .github/workflows/test-npm-auth.yml    | 39 +++++++++++++++++++++
 3 files changed, 88 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/test-npm-auth.yml

diff --git a/.github/actions/npm-publish/action.yml b/.github/actions/npm-publish/action.yml
index 57679d5c3b..79a8eff745 100644
--- a/.github/actions/npm-publish/action.yml
+++ b/.github/actions/npm-publish/action.yml
@@ -1,15 +1,21 @@
 name: Publish release to npm
+description: Publishes a package to npm registry with authentication and verification
 
 inputs:
   node-version:
+    description: Node.js version to use
     required: true
   npm-token:
+    description: NPM authentication token
     required: true
   version:
+    description: Version to publish
     required: true
   require-build:
-    default: true
+    description: Whether to run build step
+    default: 'true'
   release-directory:
+    description: Directory containing package to publish
     default: './'
 
 runs:
@@ -35,10 +41,33 @@ runs:
       shell: bash
       run: npm run build
 
+    - name: Verify npm authentication
+      shell: bash
+      run: |
+        echo "Verifying npm authentication..."
+        echo "npm version: $(npm --version)"
+        echo "node version: $(node --version)" 
+        echo "npm config list:"
+        npm config list
+        echo "Checking authentication:"
+        npm whoami
+        echo "npm registry: $(npm config get registry)"
+        echo "Checking user permissions for auth0 package..."
+        npm access list packages --json || echo "Could not list packages"
+        echo "Checking package collaborators..."
+        npm owner ls auth0 || echo "Could not list owners"
+        echo "Checking npm token..."
+        npm token list || echo "Could not list tokens"
+        echo "Testing npm publish dry run..."
+        npm publish --dry-run || echo "Dry run failed"
+      env:
+        NODE_AUTH_TOKEN: ${{ inputs.npm-token }}
+
     - name: Publish release to NPM
       shell: bash
       working-directory: ${{ inputs.release-directory }}
       run: |
+        # Determine the appropriate tag
         if [[ "${VERSION}" == *"beta"* ]]; then
           TAG="beta"
         elif [[ "${VERSION}" == *"alpha"* ]]; then
@@ -46,7 +75,22 @@ runs:
         else
           TAG="latest"
         fi
-        npm publish --provenance --tag $TAG
+
+        echo "Publishing package auth0@${VERSION} with tag ${TAG}..."
+        echo "Package details:"
+        echo "Name: $(grep '"name"' package.json | cut -d'"' -f4)"
+        echo "Version: $(grep '"version"' package.json | cut -d'"' -f4)"
+        echo "Repository: $(grep -A2 '"repository"' package.json | grep '"url"' | cut -d'"' -f4)"
+
+        echo "Final authentication check before publish:"
+        npm whoami
+
+        echo "Running npm publish..."
+        set -e  # Exit on any error
+        npm publish --provenance --tag $TAG --verbose
+
+        echo "✅ Package published successfully!"
+        echo "Package URL: https://www.npmjs.com/package/auth0/v/${VERSION}"
       env:
         NODE_AUTH_TOKEN: ${{ inputs.npm-token }}
         VERSION: ${{ inputs.version }}
diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
index 21a57c4469..6e79769b88 100644
--- a/.github/workflows/npm-release.yml
+++ b/.github/workflows/npm-release.yml
@@ -26,6 +26,9 @@ jobs:
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
     runs-on: ubuntu-latest
     environment: release
+    permissions:
+      contents: read
+      id-token: write # For publishing to npm using --provenance
 
     steps:
       # Checkout the code
diff --git a/.github/workflows/test-npm-auth.yml b/.github/workflows/test-npm-auth.yml
new file mode 100644
index 0000000000..34e80808b3
--- /dev/null
+++ b/.github/workflows/test-npm-auth.yml
@@ -0,0 +1,39 @@
+name: Test NPM Authentication
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  test-npm-auth:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Test npm authentication
+        run: |
+          echo "Testing npm authentication..."
+          npm whoami
+          echo "Registry: $(npm config get registry)"
+          echo "Auth token configured: $(if [ -n "$NODE_AUTH_TOKEN" ]; then echo "Yes"; else echo "No"; fi)"
+          echo "Token length: ${#NODE_AUTH_TOKEN}"
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Test package access
+        run: |
+          echo "Checking package information..."
+          npm view auth0 version
+          npm access list packages --json
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

From b6d29eaf6477e5087475067b9fd842fe29252dc2 Mon Sep 17 00:00:00 2001
From: Tushar Pandey <tushar.pandey@okta.com>
Date: Mon, 4 Aug 2025 12:46:13 +0530
Subject: [PATCH 2/3] chore: make test workflow run on push

---
 .github/workflows/test-npm-auth.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/test-npm-auth.yml b/.github/workflows/test-npm-auth.yml
index 34e80808b3..ec7f315edc 100644
--- a/.github/workflows/test-npm-auth.yml
+++ b/.github/workflows/test-npm-auth.yml
@@ -2,6 +2,9 @@ name: Test NPM Authentication
 
 on:
   workflow_dispatch:
+  push:
+    branches-ignore:
+      - master
 
 permissions:
   contents: read

From ef9435a497a82436b99553d42d5aba758134c4c6 Mon Sep 17 00:00:00 2001
From: Tushar Pandey <tushar.pandey@okta.com>
Date: Mon, 4 Aug 2025 12:49:47 +0530
Subject: [PATCH 3/3] chore: make test workflow changes

---
 .github/actions/npm-publish/action.yml |  2 +-
 .github/workflows/test-npm-auth.yml    | 46 +++++++++++++++++++++++---
 2 files changed, 43 insertions(+), 5 deletions(-)

diff --git a/.github/actions/npm-publish/action.yml b/.github/actions/npm-publish/action.yml
index 79a8eff745..d50308bfa4 100644
--- a/.github/actions/npm-publish/action.yml
+++ b/.github/actions/npm-publish/action.yml
@@ -46,7 +46,7 @@ runs:
       run: |
         echo "Verifying npm authentication..."
         echo "npm version: $(npm --version)"
-        echo "node version: $(node --version)" 
+        echo "node version: $(node --version)"
         echo "npm config list:"
         npm config list
         echo "Checking authentication:"
diff --git a/.github/workflows/test-npm-auth.yml b/.github/workflows/test-npm-auth.yml
index ec7f315edc..156d026dc7 100644
--- a/.github/workflows/test-npm-auth.yml
+++ b/.github/workflows/test-npm-auth.yml
@@ -26,17 +26,55 @@ jobs:
       - name: Test npm authentication
         run: |
           echo "Testing npm authentication..."
-          npm whoami
           echo "Registry: $(npm config get registry)"
           echo "Auth token configured: $(if [ -n "$NODE_AUTH_TOKEN" ]; then echo "Yes"; else echo "No"; fi)"
           echo "Token length: ${#NODE_AUTH_TOKEN}"
+          echo "Token prefix: ${NODE_AUTH_TOKEN:0:8}..."
+          echo ""
+          echo "Checking .npmrc file:"
+          cat ~/.npmrc || echo "No .npmrc found in home directory"
+          echo ""
+          echo "Checking working directory .npmrc:"
+          cat .npmrc || echo "No .npmrc found in working directory"
+          echo ""
+          echo "NPM config list:"
+          npm config list
+          echo ""
+          echo "Attempting npm whoami (this may fail):"
+          npm whoami || echo "npm whoami failed - this confirms authentication issue"
+          echo ""
+          echo "Exit code from npm whoami: $?"
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Test package access
         run: |
-          echo "Checking package information..."
-          npm view auth0 version
-          npm access list packages --json
+          echo "Checking package information (without auth)..."
+          npm view auth0 version || echo "Could not view auth0 package"
+          echo ""
+          echo "Attempting to list packages (requires auth):"
+          npm access list packages --json || echo "Could not list packages - confirms auth issue"
+          echo ""
+          echo "Attempting to check auth0 package ownership:"
+          npm owner ls auth0 || echo "Could not list owners - may require auth"
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Debug token type
+        run: |
+          echo "🔍 DEBUGGING NPM TOKEN ISSUE"
+          echo "================================"
+          echo ""
+          echo "❌ The 401 Unauthorized error indicates:"
+          echo "   1. Token is invalid/expired"
+          echo "   2. Token is read-only (common cause)"
+          echo "   3. Token format is incorrect"
+          echo ""
+          echo "🔧 NEXT STEPS:"
+          echo "   1. Go to https://www.npmjs.com/settings/tokens"
+          echo "   2. Check if your token shows 'Read-only'"
+          echo "   3. If yes, create new 'Automation' token"
+          echo "   4. Update GitHub secret NPM_TOKEN"
+          echo ""
+          echo "💡 Token should be 'Automation' type for CI/CD publishing"
+        continue-on-error: true