From 78f039b1a3aea37146f1cabae0cdb8a06e975306 Mon Sep 17 00:00:00 2001 From: "jorisjonkers-dev-agents[bot]" <290081373+jorisjonkers-dev-agents[bot]@users.noreply.github.com> Date: Fri, 10 Jul 2026 02:29:46 +0000 Subject: [PATCH] fix(deploy-artifact): handle npm audit no-deps skip for GHPR scoped packages --- actions/deploy-artifact/run.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/actions/deploy-artifact/run.sh b/actions/deploy-artifact/run.sh index 8ac170a..ccab3aa 100755 --- a/actions/deploy-artifact/run.sh +++ b/actions/deploy-artifact/run.sh @@ -136,15 +136,17 @@ main() { # (3) npm audit signatures — provenance verification # NOTE: npm audit signatures only works for packages from npmjs.com. - # Packages installed from GHPR (npm.pkg.github.com) will produce - # "found no dependencies to audit that were installed from a supported registry" - # which is expected and not a failure. + # Packages installed from GHPR (npm.pkg.github.com) will produce either: + # "found no dependencies to audit that were installed from a supported registry" + # or (when --scope filters to zero matching packages): + # "found no installed dependencies to audit" + # Both are expected skip-conditions, not failures. local provenance_verified=true local npm_audit_result npm_audit_result=$(npm audit signatures \ --userconfig "$npmrc" \ --scope @jorisjonkers-dev 2>&1) || { - if echo "$npm_audit_result" | grep -q "found no dependencies to audit that were installed from a supported registry"; then + if echo "$npm_audit_result" | grep -qE "found no dependencies to audit that were installed from a supported registry|found no installed dependencies to audit"; then warn "npm audit signatures skipped: package is from a private registry not supported by npm audit signatures" provenance_verified=false else