Skip to content

fix(release): pin npmjs.org registry in publishConfig so changeset detection works#43

Merged
prosdev merged 1 commit into
mainfrom
fix/release-npm-info-registry
Jul 15, 2026
Merged

fix(release): pin npmjs.org registry in publishConfig so changeset detection works#43
prosdev merged 1 commit into
mainfrom
fix/release-npm-info-registry

Conversation

@prosdev

@prosdev prosdev commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Problem

After #42 fixed the pnpm/OIDC --git-checks error, the Release job still exits non-zero. changeset publish now reports both published packages as unpublished and retries them:

info    @prosdevlab/dev-agent is being published because our local version (0.13.0) has not been published on npm
info    @prosdevlab/kero      is being published because our local version (1.0.0) has not been published on npm
error   You cannot publish over the previously published versions: 1.0.0

Both packages are on npmjs.org (dev-agent has 16 versions, kero@1.0.0 since 2026-03-29), so this is a false "unpublished" detection — every no-op release goes red.

Root cause

changesets' pre-publish check runs npm info <pkg>, whose registry comes from getCorrectRegistry() (@changesets/cli changesets-cli.cjs.js:723):

const scopedRegistry =
  packageJson.publishConfig?.["@prosdevlab:registry"]   // checked first
  || process.env["npm_config_@prosdevlab:registry"];    // fallback

In CI the ambient npm_config_@prosdevlab:registry points the @prosdevlab scope at GitHub Packages, where these packages don't exist → npm info 404s → changesets assumes "not published" and tries to publish. Meanwhile OIDC trusted publishing forces the actual publish to npmjs.org, which then correctly refuses the already-published versions. That mismatch is the whole failure.

Fix

Set the scoped registry in each published package's publishConfig. Because getCorrectRegistry reads publishConfig[...] before the env var, this deterministically points npm info (and publish) at npmjs.org, so changesets sees the real versions and skips already-published packages.

"publishConfig": {
  "access": "public",
  "registry": "https://registry.npmjs.org/",
  "@prosdevlab:registry": "https://registry.npmjs.org/"
}

Applied to both published packages: @prosdevlab/dev-agent and @prosdevlab/kero.

A project .npmrc would not work here — an env var outranks project config in npm precedence; only publishConfig overrides the ambient scoped-registry env var in this code path.

Verification

Simulated getCorrectRegistry against the installed @changesets/cli source with the GitHub-Packages env var set — publishConfig still resolves to https://registry.npmjs.org/ for both packages. Typecheck passes. Registry URLs only (no secrets); publishConfig applies at publish time and does not affect package consumers.

Expected result after merge

On the next main push, changeset publish queries npmjs.org, sees dev-agent@0.13.0 and kero@1.0.0 already published, publishes nothing, and the Release job goes green.

🤖 Generated with Claude Code

…tection works

After the pnpm 10 fix unblocked OIDC publishing, the Release job still
exits non-zero: `changeset publish` reports both @prosdevlab/dev-agent and
@prosdevlab/kero as "has not been published on npm" and tries to publish
them, then npm rejects the already-published versions ("cannot publish over
the previously published versions").

Root cause: changesets' pre-publish check runs `npm info <pkg>` whose
registry comes from getCorrectRegistry() — which resolves the scoped
registry from `publishConfig["@prosdevlab:registry"]` OR the ambient
`npm_config_@prosdevlab:registry` env var. In CI that env var points the
@prosdevlab scope at GitHub Packages, where these packages don't exist, so
`npm info` 404s and changesets assumes they're unpublished. Meanwhile OIDC
trusted publishing forces the actual publish to npmjs.org, which then
correctly refuses the existing versions. Net: every no-op release is red.

Fix: set the scoped registry in each published package's publishConfig.
getCorrectRegistry reads publishConfig before the env var (`?.[] || env`),
so this deterministically points `npm info` (and publish) at npmjs.org —
changesets sees the real published versions and skips them. Verified by
simulating getCorrectRegistry against the installed @changesets/cli source:
with the GitHub-Packages env var set, publishConfig still resolves to
https://registry.npmjs.org/.

Registry URLs only; no secrets. publishConfig applies at publish time and
does not affect package consumers.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@prosdev prosdev merged commit 91758da into main Jul 15, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant