fix(ci): add --no-verify-access to unblock lerna publish (EWHOAMI 403)#61
Open
mohdashraf010897 wants to merge 1 commit into
Open
fix(ci): add --no-verify-access to unblock lerna publish (EWHOAMI 403)#61mohdashraf010897 wants to merge 1 commit into
mohdashraf010897 wants to merge 1 commit into
Conversation
The npm-publish workflow fails at the publish step with: lerna http fetch GET 403 https://registry.npmjs.org/-/npm/v1/user lerna ERR! EWHOAMI Authentication error. The publish token is valid — `npm whoami` in the Authenticate step succeeds (returns the bot user). The failure is lerna 4's pre-publish access check, which calls the legacy `/-/npm/v1/user` endpoint; that endpoint returns 403 for npm automation/granular tokens. This is a known lerna limitation (lerna#2788, lerna#1574), and `--no-verify-access` skips exactly that check while leaving the real publish auth intact. Later lerna versions made this the default. Verified locally: lerna 4.0.0 (the pinned version CI runs) accepts the flag; @adobe/griffon-toolkit-aep-mobile@0.14.0 builds and packs cleanly. Unblocks the 0.14.0 release.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The
npm-publishworkflow fails at the publish step onmain, blocking the@adobe/griffon-toolkit-aep-mobile@0.14.0release (PR #60).Root cause — not a dead token. The Authenticate step's
npm whoamisucceeds (returns the bot useradobe-admin). The failure is in lerna 4's pre-publish access verification:lerna 4 verifies access by calling the legacy
/-/npm/v1/userendpoint, which returns 403 for npm automation/granular tokens — a known limitation (lerna#2788, lerna#1574). The token itself has publish rights; only this pre-check is incompatible.Fix
Add
--no-verify-accessto thelerna publishinvocation. This skips the/-/npm/v1/userpre-check while leaving the actual publish authentication intact. Newer lerna versions made--no-verify-accessthe default for exactly this reason.How Has This Been Tested?
Verified locally as far as is possible without the org publish token (which only exists in CI):
npm ci) accepts--no-verify-access—lerna publish --helplists it: "Do not verify package read-write access for current npm user."@adobe/griffon-toolkit-aep-mobile@0.14.0builds (tsc) andnpm packs cleanly — the artifact is releasable; the verify-access call was the only blocker.The auth handshake itself can only be exercised by an actual publish run. Because the workflow uses
lerna publish from-package, merging (or aworkflow_dispatch) will publish only versions not already on the registry — i.e. justaep-mobile@0.14.0. Low blast radius.Notes
This addresses the
npm-publishfailure only. The other red checks onmain(Publish Docs/ GH Pages,ci/circleci: build) appear to be separate infra issues and are not addressed here.