diff --git a/scripts/plugin-npm-publish.sh b/scripts/plugin-npm-publish.sh index b283b0133c8..436a9192361 100644 --- a/scripts/plugin-npm-publish.sh +++ b/scripts/plugin-npm-publish.sh @@ -62,7 +62,6 @@ echo "Current beta dist-tag: ${current_beta_version:-}" echo "Resolved release channel: ${release_channel}" echo "Resolved publish tag: ${publish_tag}" echo "Resolved mirror dist-tags: ${mirror_dist_tags_csv:-}" -echo "Publish auth: GitHub OIDC trusted publishing" echo "Mirror dist-tag auth source: ${mirror_auth_source}" echo "Mirror dist-tag auth requirement: ${mirror_auth_requirement}" @@ -75,6 +74,13 @@ case "${mirror_auth_source}" in mirror_auth_token="${NPM_TOKEN:-}" ;; esac +publish_auth_token="${mirror_auth_token}" +publish_auth_source="${mirror_auth_source}" +if [[ -n "${publish_auth_token}" ]]; then + echo "Publish auth: ${publish_auth_source} with provenance" +else + echo "Publish auth: GitHub OIDC trusted publishing" +fi if [[ "${mirror_auth_requirement}" == "required" && -z "${mirror_auth_token}" ]]; then echo "npm dist-tag mirroring requires explicit npm auth via NODE_AUTH_TOKEN or NPM_TOKEN." >&2 @@ -92,11 +98,22 @@ fi ( cd "${package_dir}" - "${publish_cmd[@]}" + cleanup_files=() + trap 'rm -f "${cleanup_files[@]}"' EXIT + publish_userconfig="" + if [[ -n "${publish_auth_token}" ]]; then + publish_userconfig="$(mktemp)" + cleanup_files+=("${publish_userconfig}") + chmod 0600 "${publish_userconfig}" + printf '%s\n' "//registry.npmjs.org/:_authToken=${publish_auth_token}" > "${publish_userconfig}" + NPM_CONFIG_USERCONFIG="${publish_userconfig}" "${publish_cmd[@]}" + else + "${publish_cmd[@]}" + fi if [[ -n "${mirror_dist_tags_csv}" ]]; then mirror_userconfig="$(mktemp)" - trap 'rm -f "${mirror_userconfig}"' EXIT + cleanup_files+=("${mirror_userconfig}") chmod 0600 "${mirror_userconfig}" printf '%s\n' "//registry.npmjs.org/:_authToken=${mirror_auth_token}" > "${mirror_userconfig}"