Skip to content

ci: Use npm registry HTTP API for dist-tag promotion (no-changelog)#28898

Queued
Matsuuu wants to merge 3 commits intomasterfrom
fix/npm-scoped-package-dist-tag-auth
Queued

ci: Use npm registry HTTP API for dist-tag promotion (no-changelog)#28898
Matsuuu wants to merge 3 commits intomasterfrom
fix/npm-scoped-package-dist-tag-auth

Conversation

@Matsuuu
Copy link
Copy Markdown
Member

@Matsuuu Matsuuu commented Apr 22, 2026
edited
Loading

Summary

Follow-up to #28889

The release-set-stable-npm-packages-to-latest workflow was failing with 403 errors when setting latest dist-tags for scoped @n8n/* packages.

Fix: replace the npm dist-tag add CLI calls with direct fetch requests to the npm registry HTTP API (PUT /-/package/:name/dist-tags/:tag), passing NPM_TOKEN explicitly via env var. This bypasses the CLI auth resolution chain entirely and works identically for both scoped and unscoped packages.

Additional improvements:

  • Network errors (thrown by fetch) are caught and reported per-package rather than crashing the whole run
  • HTTP failures now log the status code and registry response body for easier debugging
  • Process exits non-zero if any package fails

Related Linear tickets, Github issues, and Community forum posts

No ticket — identified from CI failure logs.

Review / Merge checklist

  • I have seen this code, I have run this code, and I take responsibility for this code.
  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with `Backport to Beta`, `Backport to Stable`, or `Backport to v1` (if the PR is an urgent fix that needs to be backported)

🤖 PR Summary generated by AI

Matsuuu and others added 3 commits April 22, 2026 13:51
@Matsuuu @claude
fix(ci): Add explicit registry scope for @n8n packages in dist-tag wo…
b3f604b 
…rkflow (no-changelog)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Matsuuu @claude
fix(ci): Use npm registry HTTP API for dist-tag promotion (no-changelog)
0463364 
Replaces npm CLI dist-tag calls (which suffer from auth resolution issues
for scoped packages per npm/cli#8547) with direct fetch calls to the npm
registry API, passing NPM_TOKEN explicitly via env var.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Matsuuu
Merge branch 'master' into fix/npm-scoped-package-dist-tag-auth
b5f1160
@n8n-assistant n8n-assistant Bot added the n8n team Authored by the n8n team label Apr 22, 2026
@Matsuuu Matsuuu self-assigned this Apr 22, 2026
@Matsuuu Matsuuu requested a review from shortstacked April 22, 2026 12:06
@Matsuuu Matsuuu marked this pull request as ready for review April 22, 2026 12:07
@Matsuuu Matsuuu requested a review from a team as a code owner April 22, 2026 12:07
@Matsuuu Matsuuu changed the title fix(ci): Use npm registry HTTP API for dist-tag promotion (no-changelog) ci: Use npm registry HTTP API for dist-tag promotion (no-changelog) Apr 22, 2026
@Matsuuu Matsuuu enabled auto-merge April 22, 2026 12:11
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Architecture diagram 
sequenceDiagram
    participant GHA as GitHub Actions Runner
    participant Script as Promotion Script
    participant Pnpm as Monorepo Utils
    participant Registry as npm Registry API

    Note over GHA,Registry: NEW: Direct HTTP Registry Interaction Flow

    GHA->>Script: Execute (node set-latest-for-monorepo-packages.mjs)
    Note right of GHA: Injected: NPM_TOKEN env var

    Script->>Pnpm: getMonorepoProjects()
    Pnpm-->>Script: List of package names + versions

    loop For each public package
        Script->>Script: URL-encode package name (e.g. @n8n/core -> @n8n%2fcore)
        
        Script->>Registry: CHANGED: PUT /-/package/:name/dist-tags/latest
        Note right of Script: Headers: Authorization Bearer [TOKEN]<br/>Body: "version.string"
        
        alt Success (HTTP 2xx)
            Registry-->>Script: 200 OK
            Script->>GHA: Log success
        else HTTP Error (e.g. 403, 404)
            Registry-->>Script: Error Status + Body
            Script->>GHA: NEW: Log status code and response body
            Script->>Script: Record failure
        else Network Error
            Script->>GHA: NEW: Catch fetch error and log
            Script->>Script: Record failure
        end
    end

    alt Any packages failed
        Script-->>GHA: NEW: Throw Error (Process Exit 1)
    else All packages succeeded
        Script-->>GHA: Success (Process Exit 0)
    end
Loading

@Matsuuu Matsuuu added this pull request to the merge queue Apr 22, 2026
Any commits made after this event will not be merged.
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to no response for status checks Apr 22, 2026
@Matsuuu Matsuuu added this pull request to the merge queue Apr 22, 2026
Any commits made after this event will not be merged.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@shortstacked shortstacked shortstacked approved these changes

Assignees

@Matsuuu Matsuuu

Labels

Backport to Beta Backport to Stable n8n team Authored by the n8n team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Matsuuu @shortstacked