Lerna doesn't work with NPM automation tokens
See original GitHub issueWhen I properly set up npm credentials inside of GitHub Actions, and use an npm automation token (which normally supports write actions), lerna fails when verifying npm auth, even though npm is properly authenticated for publishing:
$ lerna publish patch
....
lerna info Verifying npm credentials
lerna http fetch GET 403 https://registry.npmjs.org/-/npm/v1/user 241ms
403 Forbidden - GET https://registry.npmjs.org/-/npm/v1/user
lerna ERR! EWHOAMI Authentication error. Use `npm whoami` to troubleshoot.
When I switch to a read-write npm token (with OTP turned off), lerna works fine.
It appears lerna does not support npm automation tokens. It would be nice if it did, that way people won’t be inclined to turn off OTP on their human tokens.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:53
- Comments:15 (1 by maintainers)
Top Results From Across the Web
Developers - Lerna doesn't work with NPM automation tokens -
When I properly set up npm credentials inside of GitHub Actions, and use an npm automation token (which normally supports write actions), lerna...
Read more >@lerna/publish - npm
Historically, lerna attempted to fast-fail on authorization/authentication issues by performing some preemptive npm API requests using the given token.
Read more >npm automation tokens | GitHub Changelog
Using an automation token will not prompt for a one-time passcode, meaning that you can use it as a secret in your publish...
Read more >No BS monorepo - Part 2 - DEV Community
This time it's because Lerna has trouble verifying the user when dealing with NPM automation tokens. This issue is well described here.
Read more >Looking forward the CI/CD part, so far I have not been able to make ...
Looking forward the CI/CD part, so far I have not been able to make NPM Automation Tokens work with lerna & yarn in...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Using https://github.com/lerna/lerna/tree/main/commands/publish#--no-verify-access may fix this. Automation tokens don’t have permission to access the endpoint lerna uses to verify permission.
As a longer-term fix, this should be documented or the
/-/whoami
endpoint should be used which can be accessed by automation tokens.This issue thread was a real life saver - I’ve just struggled with publishing the @frsource/tiny-carousel packages for two days before finding this gold. To make life easier for the future travellers, I’ve patched a PR adding the necessary info about handling of npm automation tokens - #2825. Hope it will save some time for the others 😄
Feel free to comment/post suggestions in the PR, or just react with 👍 if agree that it should be merged.