fix(ci): upgrade npm + clear stale _authToken before OIDC publish

SPCFXDA · SPCFXDA · commit bd211ce4f2f7 · 2026-02-28T22:25:41.000Z
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -106,22 +106,42 @@ jobs:
         with:
           name: build-artifacts
 
+      # ── 0. Upgrade npm so OIDC trusted publishing works reliably ────────────
+      # actions/setup-node writes `_authToken=${NODE_AUTH_TOKEN}` to .npmrc.
+      # When NODE_AUTH_TOKEN is unset, some npm versions treat the empty value
+      # as an invalid token ("Access token expired") instead of falling through
+      # to OIDC. Upgrading npm to latest (11.x) and clearing the stale auth
+      # entry ensures the OIDC exchange is always used for publishing.
+      - name: Upgrade npm and clear stale auth
+        run: |
+          npm install -g npm@latest
+          npm --version
+          # Remove the empty _authToken written by actions/setup-node so npm
+          # finds no static credential and uses the OIDC token instead.
+          npm config delete "//registry.npmjs.org/:_authToken" || true
+
       # ── 1. Publish all @cfxdevkit/* library packages ───────────────────────
       # IMPORTANT: Use `npm publish` (not `pnpm publish`) so the npm CLI can
       # automatically exchange the GitHub OIDC token for a short-lived npm
       # credential. `pnpm publish` does NOT trigger the OIDC token exchange,
       # which causes "Access token expired" + E404 even when trusted publishing
       # is correctly configured on npmjs.com.
-      #
-      # Provenance attestation is generated automatically by npm when publishing
-      # via OIDC trusted publishing — no --provenance flag needed.
       - name: Publish @cfxdevkit/* packages
         run: |
+          set -e
+          failed=''
           for pkg_dir in packages/*/; do
             pkg_name=$(node -p "require('./${pkg_dir}package.json').name")
             echo "\n--- Publishing ${pkg_name} ---"
-            npm publish "${pkg_dir}" --access public
+            if ! npm publish "${pkg_dir}" --access public; then
+              echo "::error::Failed to publish ${pkg_name}"
+              failed="${failed} ${pkg_name}"
+            fi
           done
+          if [ -n "$failed" ]; then
+            echo "::error::The following packages failed to publish:${failed}"
+            exit 1
+          fi
 
       # ── 2. Publish the conflux-devkit CLI ──────────────────────────────────
       # `pnpm pack` normalises workspace:* dependency versions in package.json
