actions/setup-node
1
0
Fork 0
mirror of https://github.com/actions/setup-node.git synced 2026-02-05 15:08:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(#1440): Support NPM OIDC tokens by not exporting default NODE_AUTH_TOKEN

Browse source 
This change addresses issue #1440 where NPM OIDC authentication was broken
because the action was exporting a fake NODE_AUTH_TOKEN value by default.

NPM OIDC requires NODE_AUTH_TOKEN to either be unset or empty for proper
authentication. The fix only exports NODE_AUTH_TOKEN if it was explicitly
set by the user, allowing OIDC to work while maintaining backward compatibility
for users who explicitly provide tokens.

BREAKING CHANGE: Users who rely on the fake default token should now explicitly
provide NODE_AUTH_TOKEN in their workflows or use OIDC authentication.

Fixes #1440
Related: https://github.com/actions/setup-node/issues/1440
This commit is contained in:
Satishchoudhary94 2026-01-18 14:05:23 +00:00
parent 6044e13b5d
commit ecb118ff9d
4 changed files with 31 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

8
dist/setup/index.js vendored
View file

@ -53633,8 +53633,12 @@ function writeRegistryToFile(registryUrl, fileLocation) {
newContents += `${authString}${os.EOL}${registryString}`;
fs.writeFileSync(fileLocation, newContents);
core.exportVariable('NPM_CONFIG_USERCONFIG', fileLocation);
// Export empty node_auth_token if didn't exist so npm doesn't complain about not being able to find it
core.exportVariable('NODE_AUTH_TOKEN', process.env.NODE_AUTH_TOKEN || 'XXXXX-XXXXX-XXXXX-XXXXX');
// Only export NODE_AUTH_TOKEN if explicitly provided by user
// This is required to support NPM OIDC tokens which need NODE_AUTH_TOKEN to be unset
// See: https://github.com/actions/setup-node/issues/1440
if (Object.prototype.hasOwnProperty.call(process.env, 'NODE_AUTH_TOKEN')) {
core.exportVariable('NODE_AUTH_TOKEN', process.env.NODE_AUTH_TOKEN);
}
}