Auto: Auth not being picked up correctly in GitHub Action using Artifactory and self hosted runners
Describe the bug
I'm trying to validate a canary release that is running on a self hosted runner which pulls dependencies from a private Artifactory npm registry and then subsequently publishes a package back to it, all through a GitHub action that is on a self hosted runner. Everything seems to be working correctly except the publish step itself, and I'm seeing the following:
Subsequently, further down:
I don't necessarily have access to the runner environment as that is managed by our ops team but I have verified the following:
- The action runs in
/home/ubuntu/actions-runner/_work/fe-ui/fe-ui - The
.npmrcfile seems to be updated with the token entry correctly
//artifactory.internal.livongo.com/artifactory/api/npm/npm-repository/:_authToken=${NPM_TOKEN}
- The
.npmrcfile that is being updated with the above token lives inside of/home/ubuntu/.npmrc
To Reproduce
Expected behavior
Screenshots
Environment information:
Additional context
I would love to provide any additional info but I don't have much more to go off of. WHat can I do to add additional details that may help resolve this?
reintroducing
All 14 comments
Looks like you're using legacyAuth. I'd try turning that off first
hipstersmoothie
on 19 Mar 2021
@hipstersmoothie when you say using legacy auth, do you mean _auth = [token] in the .npmrc file? If so, that is not the case, if not, what exactly do you mean and how would I turn that off?
reintroducing
on 19 Mar 2021
You should probably work to resolve this with your devops guy.
Some tips based on our artifactory usage:
- We store a valid artifactory .npmrc in an env var that's injected during our builds
- Since we are setting the npmrc ourselves you also need to set the
npmplugin'ssetRcTokentofalse
hipstersmoothie
on 19 Mar 2021
I had noticed that the canary command in your output uses the _auth flag, which is only used if you have legacyAuth set to true in your .autorc
hipstersmoothie
on 19 Mar 2021
So the steps you could take locally are:
- get an npmrc working locally that publishes to artifactory
- copy it into an env var
- inject that env var during a build into
~/.npmrc - Make sure you have set
setRcTokentofalse
hipstersmoothie
on 19 Mar 2021
@hipstersmoothie ah, you are correct, we did set legacyAuth to true because without it (and now that I'm trying your suggestions), we are getting a 403 Forbidden from our artifactory instance. I just tried setting the registry with the token set (like in my original post but with the actual token) in the .npmrc file and still seeing a 403. I understand this is probably a limitation of our ops setup, but just out of curiosity, whats in your npmrc? Ours is the following:
registry = https://artifactory.internal.livongo.com/artifactory/api/npm/npm-virtual
email = [email protected]
always-auth = true
save-exact = true
and then in package.json:
"publishConfig": {
"registry": "https://artifactory.internal.livongo.com/artifactory/api/npm/npm-repository/"
},
You will notice that the end of the URL is different for publish vs npm installs, which my understanding was necessary through Artifactory for the caching layer, but I am definitely not an expert on Artifactory itself. I just remember that this was the only way we were able to get the auth working correctly (by using legacyAuth) when we were publishing from our local machines to Artifactory. Now, we are trying to block local publishing and offload this to GitHub Actions but, as luck would have it, I wanted to publish a canary of that change before I removed legacyAuth from our shared auto config and distributed it to all of our packages but alas, I am unable to because I now can't publish due to legacyAuth being missing, lol.
reintroducing
on 19 Mar 2021
We set this up once a long time ago but i'll try to communicate the steps we take:
Here is our internal docs for getting the npmrc set up
Other than this i'm probably not gonna be much help. Artifactory can be kinda hard to get to behave
hipstersmoothie
on 19 Mar 2021
@hipstersmoothie I appreciate your help. You are very right in terms of getting Artifactory to behave, and its especially more difficult if you can't get access to manage the instance and have to keep going back and forth with devops to try things.
regardless, i appreciate your help and will continue to plug away at this. i had already tried to mimic a setup similar to what you showed in that screenshot (and then tried it again just to verify after you posted it) and it didn't work for my use case, probably because of a setting in Artifactory that differs for us. If you don't mind, I'd like to keep this issue open and will come back and close it if/when we get this resolved. i'll probably end up stepping through the internals of auto as part of that process.
reintroducing
on 19 Mar 2021
Yeah I'm fine with that. If you come up with some good artifactory setup step we can add it to the docs too
hipstersmoothie
on 19 Mar 2021
@hipstersmoothie I am looking at this line:
https://github.com/intuit/auto/blob/v10.21.3/plugins/npm/src/set-npm-token.ts#L37
For my local machine (able to reach internal artifactory), when isCi is false, I am able to publish. If I change my local node_modules/@auto-it/npm/dist/set-npm-token.js line referenced above to be if (false) {, then I get the same 403 error as I do when isCi is true.
Either it's correct for non-ci, or correct for ci. I suspect the setTokenOnCI is not considering legacyAuth and it should?
sethomas
on 22 Mar 2021
Looks like you might have missed where I said this
Make sure you have set setRcToken to false
All that code is skipped if you have setRcToken set to false
hipstersmoothie
on 22 Mar 2021
@hipstersmoothie what a very nice response and all is well once we set setRcToken to false. Using auto via github actions to our artifactory is a GO. Thanks!
sethomas
on 22 Mar 2021
Issue can be closed, user/setup error, thanks for support.
sethomas
on 22 Mar 2021
@hipstersmoothie Thank you for being patient while we figured this out.
reintroducing
on 23 Mar 2021
Related issues
aleclarson
·
14Comments
thuringia
·
14Comments
shilman
·
7Comments
tunnckoCore
·
4Comments
zephraph
·
10Comments