fix(ci): downgrade npm auth token list check to warning (#2547)

Copilot · Saadnajmi · web-flow · commit cacc1bdeb5a6 · 2025-07-09T10:08:14.000-07:00
The `verifyNpmAuth` function in `.ado/scripts/prepublish-check.mjs` was failing in CI with: ``` ❌ Auth token for 'https://registry.npmjs.org/' returned error code E403 ``` This occurred because the function performs two npm checks: 1. `npm whoami --registry <registry>` - verifies user authentication ✅ 2. `npm token list --registry <registry>` - attempts to list user tokens ❌ While the first check succeeds (confirming the user is authenticated), the second check fails with E403 because some npm tokens don't have permission to list tokens, even though they can publish packages successfully. ## Solution Made a minimal change to treat E403 errors from `npm token list` as non-fatal warnings: ```javascript // Before - All token list errors were fatal throw new Error(`Auth token for '${registry}' returned error code ${errorCode}`); // After - E403 is non-fatal, others still throw if (errorCode === "E403") { info(`Token verification skipped: token doesn't have permission to list tokens (${errorCode})`); } else { throw new Error(`Auth token for '${registry}' returned error code ${errorCode}`); } ``` ## Benefits - ✅ **Fixes CI publishing** - No more E403 failures blocking npm publish jobs - ✅ **Maintains security** - `npm whoami` still validates authentication properly - ✅ **Preserves existing behavior** - All other error codes (E401, ENEEDAUTH, etc.) still throw as before - ✅ **Zero breaking changes** - Fully backward compatible - ✅ **Clear logging** - Informative message when E403 occurs ## Testing - Script syntax validation passes - Code formatting with Prettier is correct - Manual testing confirms E403 errors are now non-fatal - All other error scenarios continue to work as expected - Script runs successfully with all existing options This surgical fix resolves the specific CI authentication issue while preserving all existing safeguards and functionality. Fixes #2546.  --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs. Co-authored-by: Saad Najmi <sanajmi@microsoft.com>
diff --git a/.ado/scripts/prepublish-check.mjs b/.ado/scripts/prepublish-check.mjs
@@ -103,7 +103,8 @@ function verifyNpmAuth(registry = NPM_DEFEAULT_REGISTRY) {
   if (whoami.status !== 0) {
     const error = whoami.stderr.toString();
     const m = error.match(npmErrorRegex);
-    switch (m && m[1]) {
+    const errorCode = m && m[1];
+    switch (errorCode) {
       case "EINVALIDNPMTOKEN":
         throw new Error(`Invalid auth token for npm registry: ${registry}`);
       case "ENEEDAUTH":
@@ -118,7 +119,15 @@ function verifyNpmAuth(registry = NPM_DEFEAULT_REGISTRY) {
   if (token.status !== 0) {
     const error = token.stderr.toString();
     const m = error.match(npmErrorRegex);
-    throw new Error(m ? `Auth token for '${registry}' returned error code ${m[1]}` : error);
+    const errorCode = m && m[1];
+    
+    // E403 means the token doesn't have permission to list tokens, but that's
+    // not required for publishing. Only fail for other error codes.
+    if (errorCode === "E403") {
+      info(`Token verification skipped: token doesn't have permission to list tokens (${errorCode})`);
+    } else {
+      throw new Error(m ? `Auth token for '${registry}' returned error code ${errorCode}` : error);
+    }
   }
 }
 
