Skip to content

fix: remove registry-url from setup-node to avoid conflicts with semantic-release #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
codfish wants to merge 1 commit into
base: main
Choose a base branch
from
+44 −1
Open

fix: remove registry-url from setup-node to avoid conflicts with semantic-release #48

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions setup-node-and-install/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ When multiple version specification methods are present, the action uses this pr
| `node-version` | Node.js version to install (e.g. "24", "lts/\*"). Precedence: node-version input > .node-version > .nvmrc > package.json volta.node. | No | - |
| `install-options` | Extra command-line options to pass to npm/pnpm/yarn install. | No | - |
| `working-directory` | Directory containing package.json and lockfile. | No | `.` |
| `registry-url` | Registry URL for npm authentication (e.g. "https://registry.npmjs.org/"). See [Registry URL Configuration](#registry-url-configuration) below. | No | - |
Copy link

@coderabbitai coderabbitai bot Feb 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

This line is inside auto-generated markers and may be overwritten.

Line 93 falls between <!-- start inputs --> and <!-- end inputs --> markers. Per coding guidelines, content between HTML comment markers is auto-generated and should not be manually edited. Ensure the auto-generation tool is run so this row is produced from action.yml rather than hand-edited here.

As per coding guidelines, "NEVER edit content between HTML comment markers in README files (doctoc markers, action docs markers, inputs/outputs markers). These indicate auto-generated content that will be overwritten."

🤖 Prompt for AI Agents 
In `@setup-node-and-install/README.md` at line 93, The README row for
`registry-url` is inside the auto-generated section between the HTML markers
<!-- start inputs --> and <!-- end inputs --> and must not be manually edited;
re-run the README generation tool that produces docs from action.yml so the
`registry-url` input (and its row) is regenerated from action.yml instead of
hand-editing the README, ensuring content between those markers is only updated
by the generator.

| `upgrade-npm` | Whether to upgrade npm to v11.5.1. This is required for OIDC trusted publishing but can be disabled if you want to shave off some run time and you are still using token-based authentication. | No | `true` |

<!-- end inputs -->
Expand All @@ -114,6 +115,42 @@ This action automatically upgrades npm to **v11** after Node.js setup (pinned to
The upgrade happens transparently and is logged in the workflow output. The version is pinned to prevent unexpected
breaking changes while still receiving patch and minor updates within v11.

## Registry URL Configuration

The `registry-url` input configures npm authentication by creating a `.npmrc` file with a `NODE_AUTH_TOKEN` placeholder.
**In most cases, you should NOT set this parameter.**

### When NOT to use registry-url (recommended)

**Skip this parameter if:**

- You're **only installing dependencies** (the primary use case for this action) - authentication is not needed for
public packages
- You're using **semantic-release** for publishing - it handles npm authentication independently and `registry-url` can
cause conflicts
([semantic-release docs](https://semantic-release.gitbook.io/semantic-release/recipes/ci-configurations/github-actions#important-avoid-registry-url-in-setup-node))
- You're using **OIDC trusted publishing** with npm - the upgraded npm v11 handles this automatically

### When to use registry-url

**Only set this parameter if:**

- You're publishing to npm using **manual `npm publish`** (not semantic-release)
- You need to authenticate to a **private npm registry**
- You're using **legacy token-based publishing** and need the `.npmrc` file created

### Example with registry-url

```yml
- uses: codfish/actions/setup-node-and-install@v3
with:
registry-url: 'https://registry.npmjs.org/'
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

- run: npm publish
```

## Examples

### With specific Node version
Expand Down
8 changes: 7 additions & 1 deletion setup-node-and-install/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,12 @@ inputs:
working-directory:
description: Directory containing package.json and lockfile.
default: .
registry-url:
description:
'Optional registry URL to configure for publishing (e.g. "https://registry.npmjs.org/"). Creates .npmrc with
NODE_AUTH_TOKEN placeholder. NOT recommended if using semantic-release (it handles auth independently). Only
needed for publishing with manual npm publish or other non-semantic-release workflows.'
required: false
upgrade-npm:
description:
Whether to upgrade npm to v11.5.1. This is required for OIDC trusted publishing but can be disabled if you want to
Expand Down Expand Up @@ -129,7 +135,7 @@ runs:
cache: ${{ steps.detect-package-manager.outputs.package-manager }}
cache-dependency-path: ${{ inputs.working-directory }}
node-version: ${{ steps.detect-node-version.outputs.version }}
registry-url: 'https://registry.npmjs.org/'
registry-url: ${{ inputs.registry-url }}

- name: Upgrade npm for OIDC support
if: inputs.upgrade-npm == 'true'
Expand Down
Loading