Gitlab semantic release not using private registry

Question

I'm trying to use semantic-release to publish to a scoped private registry on gitlab but I keep getting error because it's trying to auth against the public registry instead the private one.

Here are my settings (with some things obscured)

package.json

    {
      "name": "@mygroup/npm_registry",
      "version": "1.0.12",
      "description": "Test",
      "main": "index.ts",
      "repository": "https://gitlab.com/mygroup/randomStuff/npm_registry",
      "author": "An author",
      "license": "UNLICENSED",
      "private": false,
      "scripts": {
        .....
           "semantic-release": "semantic-release"
      },
      "dependencies": {
      ......
      },
      "devDependencies": {
      .....
        "semantic-release": "^17.4.4",
        "@semantic-release/commit-analyzer": "^8.0.1",
        "@semantic-release/release-notes-generator": "^9.0.3",
        "@semantic-release/gitlab": "^6.2.1",
        "@semantic-release/npm": "^7.1.3",
        "@semantic-release/git": "^9.0.0"
      }
      .......
    "publishConfig": {
        "@mygroup:registry": "https://gitlab.com/api/v4/projects/XXXXXX/packages/npm/"
      }
    }

.npmrc (The authTokens are personal tokens with full access)

    //gitlab.com/api/v4/projects/XXXXXXX/packages/npm/:_authToken=YYYYYYYYYYYYYYYYY
    //gitlab.com/api/v4/packages/npm/:_authToken=YYYYYYYYYYYYYYYYY
    @mygroup:registry "https://gitlab.com/api/v4/packages/npm/"

.releaserc.json

    {
        "branches": ["main"],
        "plugins": [
          "@semantic-release/commit-analyzer",
          "@semantic-release/release-notes-generator",
          [
            "@semantic-release/gitlab",
            {
              "gitlabUrl": "https://gitlab.com",
              "gitlabApiPathPrefix": "/api/v4",
              "verifyConditions": []
            }
          ],
          "@semantic-release/npm",
          [
            "@semantic-release/git",
            {
              "assets": ["package.json"],
              "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
            }
          ]
        ]
      }

I've tried multiple ways of running it from local which prompts me for username and password multiple times (for password I use a gitlab personal access token) and from CI/CD using:

.gitlab-ci.yaml

    default:
      image: node:14.17
    
    variables:
      NPM_TOKEN: ${CI_JOB_TOKEN}
    
    stages:
      - publish
    
    Publish:
      stage: publish
      script:
        - mkdir -p /root/.config/git
        - echo https://myusername:[email protected]/ > /root/.config/git/credentials
        - git config --global credential.helper store
        - GL_TOKEN=YYYYYYYYYYYYYY;NPM_TOKEN=YYYYYYYYYYYYYY; npm run semantic-release --debug

It's worth noting that the exact steps on the CI/CD have changed a lot since I've been testing multiple things like not passing the vars on the call and making sure they are all setup directly on gitlab but nothing works.

For environment variables I have NPM_TOKEN, GL_TOKEN, GITLAB_TOKEN.

Here is the actual error when running locally:

>> @mygroup/[email protected] semantic-release
>> semantic-release
>
>[11:36:42 a.m.] [semantic-release] › ℹ  Running semantic-release version 17.4.4
>[11:36:42 a.m.] [semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/gitlab"
>[11:36:42 a.m.] [semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/npm"
>[11:36:42 a.m.] [semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/git"
>[11:36:42 a.m.] [semantic-release] › ✔  Loaded plugin "analyzeCommits" from "@semantic-release/commit-analyzer"
>[11:36:42 a.m.] [semantic-release] › ✔  Loaded plugin "generateNotes" from "@semantic-release/release-notes-generator"
>[11:36:42 a.m.] [semantic-release] › ✔  Loaded plugin "prepare" from "@semantic-release/npm"
>[11:36:42 a.m.] [semantic-release] › ✔  Loaded plugin "prepare" from "@semantic-release/git"
>[11:36:42 a.m.] [semantic-release] › ✔  Loaded plugin "publish" from "@semantic-release/gitlab"
>[11:36:42 a.m.] [semantic-release] › ✔  Loaded plugin "publish" from "@semantic-release/npm"
>[11:36:42 a.m.] [semantic-release] › ✔  Loaded plugin "addChannel" from "@semantic-release/npm"
>[11:36:42 a.m.] [semantic-release] › ⚠  This run was not triggered in a known CI environment, running in dry-run mode.
>j[11:36:56 a.m.] [semantic-release] › ⚠  Run automated release from branch main on repository https://gitlab.com/mygroup/randomStuff/npm_registry in dry-run mode
>[11:37:00 a.m.] [semantic-release] › ✔  Allowed to push to the Git repository
>[11:37:00 a.m.] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/gitlab"
>[11:37:00 a.m.] [semantic-release] [@semantic-release/gitlab] › ℹ  Verify GitLab authentication (https://gitlab.com/api/v4)
>[11:37:00 a.m.] [semantic-release] › ✖  Failed step "verifyConditions" of plugin "@semantic-release/gitlab"
>[11:37:00 a.m.] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/npm"
>[11:37:00 a.m.] [semantic-release] [@semantic-release/npm] › ℹ  Verify authentication for registry https://registry.npmjs.org/
>[11:37:00 a.m.] [semantic-release] [@semantic-release/npm] › ℹ  Reading npm config from /home/user/Work/git/npm_registry/.npmrc
>[11:37:00 a.m.] [semantic-release] [@semantic-release/npm] › ℹ  Wrote NPM_TOKEN to /tmp/6a8800c051f3e40927850be223835151/.npmrc
>npm ERR! code E401
>npm ERR! 401 Unauthorized - GET https://registry.npmjs.org/-/whoami
>
>npm ERR! A complete log of this run can be found in:
>npm ERR!     /home/user/.npm/_logs/2021-07-22T18_37_01_006Z-debug.log
>[11:37:01 a.m.] [semantic-release] › ✖  Failed step "verifyConditions" of plugin "@semantic-release/npm"
>[11:37:01 a.m.] [semantic-release] › ℹ  Start step "verifyConditions" of plugin "@semantic-release/git"
>[11:37:01 a.m.] [semantic-release] › ✔  Completed step "verifyConditions" of plugin "@semantic-release/git"
>[11:37:01 a.m.] [semantic-release] › ✖  EINVALIDNPMTOKEN Invalid npm token.
>The npm token (https://github.com/semantic-release/npm/blob/master/README.md#npm-registry-authentication) configured in the NPM_TOKEN environment variable must be a valid token (https://docs.npmjs.com/getting-started/working_with_tokens) allowing to publish to the registry https://registry.npmjs.org/.
>
>If you are using Two Factor Authentication for your account, set its level to "Authorization only" (https://docs.npmjs.com/getting-started/using-two-factor-authentication#levels-of-authentication) in your account settings. semantic-release cannot publish with the default "
>Authorization and writes" level.
>
>Please make sure to set the NPM_TOKEN environment variable in your CI with the exact value of the npm token.
>
>[11:37:01 a.m.] [semantic-release] › ✖  An error occurred while running semantic-release: HTTPError: Response code 403 (Forbidden)
>    at EventEmitter.<anonymous> (/home/user/Work/git/npm_registry/node_modules/got/dist/source/as-promise.js:118:31)
>    at processTicksAndRejections (internal/process/task_queues.js:93:5) {
>  pluginName: '@semantic-release/gitlab'
>}
>AggregateError: 
>    HTTPError: Response code 403 (Forbidden)
>        at EventEmitter.<anonymous> (/home/user/Work/git/npm_registry/node_modules/got/dist/source/as-promise.js:118:31)
>    SemanticReleaseError: Invalid npm token.
>        at module.exports (/home/user/Work/git/npm_registry/node_modules/@semantic-release/npm/lib/get-error.js:6:10)
>        at module.exports (/home/user/Work/git/npm_registry/node_modules/@semantic-release/npm/lib/verify-auth.js:26:33)
>        at async verifyConditions (/home/user/Work/git/npm_registry/node_modules/@semantic-release/npm/index.js:36:7)
>        at async validator (/home/user/Work/git/npm_registry/node_modules/semantic-release/lib/plugins/normalize.js:34:24)
>        at async /home/user/Work/git/npm_registry/node_modules/semantic-release/lib/plugins/pipeline.js:37:34
>        at async Promise.all (index 0)
>        at async next (/home/user/Work/git/npm_registry/node_modules/p-reduce/index.js:16:18)
>    at /home/user/Work/git/npm_registry/node_modules/semantic-release/lib/plugins/pipeline.js:54:11
>    at processTicksAndRejections (internal/process/task_queues.js:93:5)
>    at async Object.pluginsConf.<computed> [as verifyConditions] (/home/user/Work/git/npm_registry/node_modules/semantic-release/lib/plugins/index.js:80:11)
>    at async run (/home/user/Work/git/npm_registry/node_modules/semantic-release/index.js:95:3)
>    at async module.exports (/home/user/Work/git/npm_registry/node_modules/semantic-release/index.js:260:22)
>    at async module.exports (/home/user/Work/git/npm_registry/node_modules/semantic-release/cli.js:55:5)

I get the same when running through CI/CD

Not sure if it helps but here is the folder structure also:

    .
    ├── dist
    │   └── ...
    ├── node_modules
    │   └── ...
    ├── src
    │   └── ...
    ├── types
    │   └── ...
    ├── .gitignore
    ├── .gitlab-ci.yml
    ├── .npmrc
    ├── .releaserc.json
    ├── package-lock.json
    ├── package.json
    └── tsconfig.json

Any idea if this is a configuration issue or maybe I'm using incompatible versions of semantic packages?

EDIT: So I realized if on the package.json I change the private field from false to true then I no longer get the error and semantic-release actually completes everything however no package is actually published on the registry. Noticed that it says skipped actual npm publish step since it's marked as private.

Answer 1

The solution was given to me by a devs on the semantic-release github page and basically boils down to me having a badly formatted .npmrc.

So mine has:

@mygroup:registry "https://gitlab.com/api/v4/packages/npm/"

But it should be:

@mygroup:registry=https://gitlab.com/api/v4/packages/npm/

Another way I got around it before knowing the actual problem was by doing:

export NPM_CONFIG_REGISTRY=https://gitlab.com/api/v4/projects/XXXX/packages/npm/

But this is more of a workaround and can only be done at the moment of running semantic-release and not before since it overrides all registries and thus cannot install any public package.

Edit: Adding link to the github conversation https://github.com/semantic-release/npm/issues/381

Answer 2

before_script:
- whoami
- apt-get update && apt-get install -y --no-install-recommends git-core ca-certificates
- npm install @semantic-release/gitlab
- |
  {
    echo "@${CI_PROJECT_ROOT_NAMESPACE}:registry=${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/npm/"
    echo "${CI_API_V4_URL#https?}/projects/${CI_PROJECT_ID}/packages/npm/:_authToken=\${GITLAB_TOKEN}"
  } | tee -a .npmrc