fix: add always-auth to release workflow for robust npm publish#41
Conversation
The tag-based release workflow failed on first run with 404 for npm publish. Adding always-auth: true to setup-node ensures NODE_AUTH_TOKEN is properly set in .npmrc and respected by npm during publish.
| { | ||
| "name": "pi-ultra-compact", | ||
| "version": "1.1.1", | ||
| "version": "1.1.2", |
There was a problem hiding this comment.
🟡 Version bumped without a corresponding changelog entry
The package version is bumped to 1.1.2 (package.json:3) without adding a matching section to the changelog, so users and maintainers have no record of what changed in this release.
Impact: The published npm package will have an undocumented version, breaking the project's changelog-driven release process.
CONTRIBUTING.md release process violation details
The CONTRIBUTING.md release process states:
- "CHANGELOG.md is updated with
[Unreleased]entries" (step 2) - "Version bumps follow semver based on changelog content"
The CHANGELOG.md (CHANGELOG.md:36-46) has an entry for [1.1.1] but no entry for [1.1.2]. Every prior version bump in the project (1.1.1, 1.1.0, 1.0.0, etc.) includes a corresponding changelog section. This PR bumps the version but does not add a [1.1.2] section documenting the always-auth workflow fix.
Prompt for agents
The version in package.json was bumped from 1.1.1 to 1.1.2 but CHANGELOG.md has no corresponding [1.1.2] section. Per CONTRIBUTING.md, the changelog should be updated alongside version bumps. Add a [1.1.2] section to CHANGELOG.md (before the [1.1.1] section around line 36) documenting the always-auth fix to the release workflow. Follow the existing format used by other entries (e.g. the [1.1.1] entry at lines 36-46).
Was this helpful? React with 👍 or 👎 to provide feedback.
Problem
The tag-based release workflow (PR #40) ran on
v1.1.1but failed duringnpm publishwith a 404 error claiming the package was not found — even though it exists in the registry.Fix
Add
always-auth: truetoactions/setup-node@v4. This ensuresNODE_AUTH_TOKENis written to.npmrcand npm always sends auth headers for the registry, preventing 404 errors when the registry needs authentication for package verification.Quality Gates