NPM registry 401 Unauthorized CI_JOB_TOKEN bug
Summary
When trying to publish a package to the NPM Registry using the gitlab CI/CD pipeline, I receive a 401 unauthorized message when attempting to publish the package. The CI_JOB_TOKEN (and/or CI_PROJECT_ID) are invalid/unauthorized when publishing. However, creating a manual api TOKEN and hard coding the token into the .npmrc file works.
Steps to reproduce
- Run gitlab CI/CD on package you wish to publish using CI Tokens. Follow the gitlab npm registry guide for more details on how to set up. Ex:
@foo:registry=https://gitlab.com/api/v4/packages/npm/
//gitlab.com/api/v4/packages/npm/:_authToken=${CI_JOB_TOKEN}
//gitlab.com/api/v4/projects/${CI_PROJECT_ID}/packages/npm/:_authToken=${CI_JOB_TOKEN}
- Reviewing the .npmrc as an artifact shows the tokens are indeed injected into the appropriate namespaces
- Attempt to publish and receive this error
$ npm publish
npm notice
npm notice package: @foo/ma-compare@0.0.7
npm notice === Tarball Contents ===
npm notice 12.1kB esm2015/lib/ma-compare/ma-compare.component.js
npm notice 3.0kB esm2015/lib/ma-compare.module.js
npm notice 2.3kB esm2015/lib/ma-quote-wrapper.js
npm notice 512B esm2015/foo-ma-compare.js
npm notice 9.2kB fesm2015/foo-ma-compare.js
npm notice 10.7kB bundles/foo-ma-compare.umd.js
npm notice 8.4kB bundles/foo-ma-compare.umd.min.js
npm notice 673B esm2015/public-api.js
npm notice 8.6kB foo-ma-compare.metadata.json
npm notice 857B package.json
npm notice 4.1kB fesm2015/foo-ma-compare.js.map
npm notice 4.4kB bundles/foo-ma-compare.umd.js.map
npm notice 3.9kB bundles/foo-ma-compare.umd.min.js.map
npm notice 634B CHANGELOG.md
npm notice 13B README.md
npm notice 948B lib/ma-compare/ma-compare.component.d.ts
npm notice 41B lib/ma-compare.module.d.ts
npm notice 1.4kB lib/ma-quote-wrapper.d.ts
npm notice 78B foo-ma-compare.d.ts
npm notice 96B public-api.d.ts
npm notice === Tarball Details ===
npm notice name: @foo/ma-compare
npm notice version: 0.0.7
npm notice package size: 13.2 kB
npm notice unpacked size: 72.0 kB
npm notice shasum: c8583ae431eaba5d91a6ea97b3b6262aa972b3ef
npm notice integrity: sha512-JniqRtbMIegAj[...]joVyo0zldojmQ==
npm notice total files: 20
npm notice
npm ERR! code E401
npm ERR! 401 Unauthorized - PUT https://gitlab.foo.com/api/v4/projects/134/packages/npm/@foo%2fma-compare
npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2020-09-11T14_06_32_626Z-debug.log
ERROR: Job failed: command terminated with exit code 1
Example Project
What is the current bug behavior?
I cannot successfully publish a package to the npm registry using CI tokens. Only hardcoded manual api tokens seem to work.
What is the expected correct behavior?
I should be able to use CI tokens. I have published packages before using the CI pipeline tokens. This behavior was working up until recently (about 1 week ago).
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
- self hosted on GitLab Ultimate (v13.3.5)
- Running with gitlab-runner 13.2.3
- Using Kubernetes executor with image node:latest
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)