From 0d90c0c0afd5e48f2274015369350f06f9bc6fc5 Mon Sep 17 00:00:00 2001
From: Mohd Ashraf <57627350+mohdashraf010897@users.noreply.github.com>
Date: Fri, 19 Jun 2026 11:29:20 +0530
Subject: [PATCH] fix(ci): add --no-verify-access to lerna publish
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The npm-publish workflow fails at the publish step with:
  lerna http fetch GET 403 https://registry.npmjs.org/-/npm/v1/user
  lerna ERR! EWHOAMI Authentication error.

The publish token is valid — `npm whoami` in the Authenticate step
succeeds (returns the bot user). The failure is lerna 4's pre-publish
access check, which calls the legacy `/-/npm/v1/user` endpoint; that
endpoint returns 403 for npm automation/granular tokens. This is a known
lerna limitation (lerna#2788, lerna#1574), and `--no-verify-access` skips
exactly that check while leaving the real publish auth intact. Later lerna
versions made this the default.

Verified locally: lerna 4.0.0 (the pinned version CI runs) accepts the
flag; @adobe/griffon-toolkit-aep-mobile@0.14.0 builds and packs cleanly.

Unblocks the 0.14.0 release.
---
 .github/workflows/npm-publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index f6ceda8..c2b2bd0 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -36,7 +36,7 @@ jobs:
       env: # More info about the environment variables in the README
         NPM_TOKEN: ${{ secrets.ADOBE_BOT_NPM_TOKEN }} # This will be shared with your repo as an org secret
     - name: lerna publish
-      run: npx lerna publish from-package --yes
+      run: npx lerna publish from-package --yes --no-verify-access
       env: # More info about the environment variables in the README
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Leave this as is, it's automatically generated
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Leave this as is, it's automatically generated