fix(#1440): Support NPM OIDC tokens by not exporting default NODE_AUTH_TOKEN

This change addresses issue #1440 where NPM OIDC authentication was broken because the action was exporting a fake NODE_AUTH_TOKEN value by default. NPM OIDC requires NODE_AUTH_TOKEN to either be unset or empty for proper authentication. The fix only exports NODE_AUTH_TOKEN if it was explicitly set by the user, allowing OIDC to work while maintaining backward compatibility for users who explicitly provide tokens. BREAKING CHANGE: Users who rely on the fake default token should now explicitly provide NODE_AUTH_TOKEN in their workflows or use OIDC authentication. Fixes #1440 Related: https://github.com/actions/setup-node/issues/1440
2026-06-14 14:13:52 +08:00 · 2026-01-18 14:05:23 +00:00
parent 6044e13b5d
commit ecb118ff9d
4 changed files with 31 additions and 7 deletions
--- a/src/authutil.ts
+++ b/src/authutil.ts
@@ -46,9 +46,10 @@ function writeRegistryToFile(registryUrl: string, fileLocation: string) {
  newContents += `${authString}${os.EOL}${registryString}`;
  fs.writeFileSync(fileLocation, newContents);
  core.exportVariable('NPM_CONFIG_USERCONFIG', fileLocation);
-  // Export empty node_auth_token if didn't exist so npm doesn't complain about not being able to find it
-  core.exportVariable(
-    'NODE_AUTH_TOKEN',
-    process.env.NODE_AUTH_TOKEN || 'XXXXX-XXXXX-XXXXX-XXXXX'
-  );
+  // Only export NODE_AUTH_TOKEN if explicitly provided by user
+  // This is required to support NPM OIDC tokens which need NODE_AUTH_TOKEN to be unset
+  // See: https://github.com/actions/setup-node/issues/1440
+  if (Object.prototype.hasOwnProperty.call(process.env, 'NODE_AUTH_TOKEN')) {
+    core.exportVariable('NODE_AUTH_TOKEN', process.env.NODE_AUTH_TOKEN);
+  }
 }