[GOG-1783] Authenticate yarn install against npm.powerapp.cloud#40
Open
indiebrain wants to merge 2 commits into
Open
[GOG-1783] Authenticate yarn install against npm.powerapp.cloud#40indiebrain wants to merge 2 commits into
indiebrain wants to merge 2 commits into
Conversation
The build job runs from GitHub-hosted runners whose egress IPs fall outside the HAProxy LAN allowlist (10/8, 192.168/16, 172.16/12), so the registry responds with 401 + Basic auth challenge for any unauthenticated fetch from a tarball URL like https://npm.powerapp.cloud/... Existing yarn.lock files in consumer repos historically resolved every dep at registry.yarnpkg.com, so the build job never touched the internal registry and the missing auth went unnoticed. Renovate now writes lockfile entries with resolved: https://npm.powerapp.cloud/... (because its own .npmrc, configured via powerhome/renovate-config, makes that the default registry), which forces yarn install to authenticate. The secret was already declared as required on this workflow but only consumed by the release job; this wires it into the build job too via setup-node's registry-url/always-auth and NODE_AUTH_TOKEN.
indiebrain
commented
May 11, 2026
This was referenced May 12, 2026
c-gerke
changed the title
c-gerke
reviewed
May 12, 2026
xjunior
approved these changes
May 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
yarn-package.ymlruns on GitHub-hosted runners whose egress IPs aren't in the HAProxy LAN allowlist (10/8,192.168/16,172.16/12) that frontsnpm.powerapp.cloud. Unauthenticated tarball fetches receive401 + WWW-Authenticate: Basic realm="npm-registry".yarn.lockfiles had every entry resolved atregistry.yarnpkg.com, so the build job never actually hit the internal registry. Renovate (configured viapowerhome/renovate-config'suse-internal-registry.json) writes new lockfile entries withresolved: https://npm.powerapp.cloud/..., which forces yarn install to authenticate.npm_tokensecret was already declared as required on this reusable workflow but only consumed by thereleasejob. This wires it into the build job too viasetup-node'sregistry-url/always-authandNODE_AUTH_TOKENonyarn install.Trigger / first observed failure: powerhome/compass#117 "Update dependency eslint to v10" — first PR to introduce a new dep through this workflow after Renovate's internal-registry config landed.
Test plan
yarn install --frozen-lockfileshould succeed against the Renovate-generatedresolved: https://npm.powerapp.cloud/...URLs.yarn-package.yml(existing repos whose lockfiles still point atregistry.yarnpkg.comshould continue to work;setup-nodewriting an authenticated.npmrcdoesn't affect requests to other hosts).releasejob still works on the next tag push — it sets its ownregistry-url: https://registry.npmjs.orgforyarn publish, which is unrelated to the build-job change here.