You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ci: drop registry-url from setup-node — it breaks trusted publishing
setup-node with registry-url writes an .npmrc containing
//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}
With no NODE_AUTH_TOKEN in env (which is the whole point of trusted
publishing), npm substitutes an empty string and sends Authorization:
Bearer — an empty token — which short-circuits the OIDC flow.
The sigstore sign still works (separate OIDC exchange), but the final
PUT to registry.npmjs.org gets rejected with a misleading
404 Not Found - PUT https://registry.npmjs.org/@codeceptjs%2freflection
Omitting registry-url lets npm use its default registry and attempt
OIDC automatically. No behavior change since registry.npmjs.org is
the default anyway.
Run 24362973570 shows the exact symptom: sigstore log entry 1288262459
signed successfully, followed by the 404.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
