Skip to content

ci(publish-libraries): fix NODE_AUTH_TOKEN workaround for PowerShell#1829

Merged
irvingouj@Devolutions (irvingoujAtDevolution) merged 1 commit into
masterfrom
ci/fix-npm-publish-pwsh-token
Jun 18, 2026
Merged

ci(publish-libraries): fix NODE_AUTH_TOKEN workaround for PowerShell#1829
irvingouj@Devolutions (irvingoujAtDevolution) merged 1 commit into
masterfrom
ci/fix-npm-publish-pwsh-token

Conversation

@irvingoujAtDevolution

@irvingoujAtDevolution irvingouj@Devolutions (irvingoujAtDevolution) commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Problem

The npm publish step in publish-libraries.yml failed on its first real publish (run #27769512117) with:

The term 'NODE_AUTH_TOKEN=' is not recognized as a name of a cmdlet, function, script file, or executable program.

Root cause

The OIDC trusted-publishing workaround introduced in #1636 used bash-style inline env assignment:

NODE_AUTH_TOKEN="" npm publish "$Tarball" "--access=$Access"

But this step runs under shell: pwsh. PowerShell parses NODE_AUTH_TOKEN="" as a command name, can't find it, and throws a (terminating) CommandNotFoundExceptionnpm publish is never reached.

This branch in npm-publish.ps1 only executes when a package has a new version to publish. Since #1636 merged (Dec 2025), every scheduled run hit only the "skip — version unchanged" path, so the buggy line was never exercised. @devolutions/web-recorder@0.1.0 is the first genuinely-new package version since then, which is why the latent bug surfaced now.

Fix

Set the env var the PowerShell way, preserving the OIDC workaround intent (empty NODE_AUTH_TOKEN so npm uses OIDC trusted publishing instead of a token):

$env:NODE_AUTH_TOKEN = ""
npm publish "$Tarball" "--access=$Access"

Validation

Reproduced locally in pwsh 7.6.3:

  • The old line fails at runtime (not parse time) with the exact same CommandNotFoundException message as CI.
  • The new form runs and sets NODE_AUTH_TOKEN to empty string as intended.

Note / follow-up

This fixes the script-syntax blocker only. A separate open question remains: whether npm OIDC trusted publishing is configured for the brand-new @devolutions/web-recorder package on npmjs.org (trusted publishing typically requires the package/publisher to be pre-configured). That may need an ops check or a one-time token bootstrap for the first publish — out of scope for this PR.

@irvingoujAtDevolution
ci(publish-libraries): fix NODE_AUTH_TOKEN workaround for PowerShell
4f0ec07 
The OIDC workaround from #1636 used bash-style inline env assignment
(`NODE_AUTH_TOKEN="" npm publish`), but the step runs under pwsh, which
parses `NODE_AUTH_TOKEN=` as a command name -> CommandNotFoundException.
Set the env var the PowerShell way instead.

This path was never exercised until web-recorder@0.1.0 (the first new
package version since #1636), so the latent bug only surfaced now.
@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown

Let maintainers know that an action is required on their side

  • Add the label release-required Please cut a new release (Devolutions Gateway, Devolutions Agent, Jetsocat, PowerShell module) when you request a maintainer to cut a new release (Devolutions Gateway, Devolutions Agent, Jetsocat, PowerShell module)

  • Add the label release-blocker Follow-up is required before cutting a new release if a follow-up is required before cutting a new release

  • Add the label publish-required Please publish libraries (`Devolutions.Gateway.Utils`, OpenAPI clients, etc) when you request a maintainer to publish libraries (Devolutions.Gateway.Utils, OpenAPI clients, etc.)

  • Add the label publish-blocker Follow-up is required before publishing libraries if a follow-up is required before publishing libraries

Copilot AI reviewed Jun 18, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes the npm publish PowerShell script used by the CI “publish libraries” workflow by replacing a bash-style inline environment assignment with PowerShell-compatible syntax, ensuring the npm publish command actually runs under shell: pwsh.

Changes:

  • Replace NODE_AUTH_TOKEN="" npm publish ... (bash syntax) with PowerShell’s $env:NODE_AUTH_TOKEN = "" followed by npm publish ....
  • Update the inline comment to explain the OIDC/trusted-publishing workaround intent.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread ci/npm-publish.ps1
{
Write-Host "Publishing..."
NODE_AUTH_TOKEN="" npm publish "$Tarball" "--access=$Access" # NODE_AUTH_TOKEN is a workaround for https://github.com/actions/setup-node/issues/1440
# Reset NODE_AUTH_TOKEN to empty is a workaround for https://github.com/actions/setup-node/issues/1440 (OIDC trusted publishing)
@irvingoujAtDevolution irvingouj@Devolutions (irvingoujAtDevolution) merged commit 5f9e395 into master Jun 18, 2026
120 of 129 checks passed
@irvingoujAtDevolution irvingouj@Devolutions (irvingoujAtDevolution) deleted the ci/fix-npm-publish-pwsh-token branch June 18, 2026 19:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@thenextman Richard Markiewicz (thenextman) thenextman approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@irvingoujAtDevolution @thenextman