Skip to content

add node auth token env in vulnerability-and-outdated-packages-report#42

Open
muhamedsk wants to merge 1 commit into
mainfrom
add-node-token-in-vulnerability-and-outdated-report
Open

add node auth token env in vulnerability-and-outdated-packages-report#42
muhamedsk wants to merge 1 commit into
mainfrom
add-node-token-in-vulnerability-and-outdated-report

Conversation

@muhamedsk
Copy link
Copy Markdown

@muhamedsk muhamedsk commented Jun 2, 2026
edited
Loading

dependency report for web is failing due to the missing NODE_AUTH_TOKEN which is required for the internal QB npm packages used in the projects.

The error:

yarn install v1.22.22
error Error: Failed to replace env in config: ${NODE_AUTH_TOKEN}
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
    at /home/runner/_work/_tool/node/24.12.0/x64/lib/node_modules/yarn/lib/cli.js:95453:13
    at String.replace (<anonymous>)
    at envReplace (/home/runner/_work/_tool/node/24.12.0/x64/lib/node_modules/yarn/lib/cli.js:95448:16)
    at NpmRegistry.normalizeConfig (/home/runner/_work/_tool/node/24.12.0/x64/lib/node_modules/yarn/lib/cli.js:31940:69)
    at NpmRegistry.<anonymous> (/home/runner/_work/_tool/node/24.12.0/x64/lib/node_modules/yarn/lib/cli.js:31970:34)
    at Generator.next (<anonymous>)
    at step (/home/runner/_work/_tool/node/24.12.0/x64/lib/node_modules/yarn/lib/cli.js:310:30)
    at /home/runner/_work/_tool/node/24.12.0/x64/lib/node_modules/yarn/lib/cli.js:321:13
error Error: Failed to replace env in config: ${NODE_AUTH_TOKEN}
    at /home/runner/_work/_tool/node/24.12.0/x64/lib/node_modules/yarn/lib/cli.js:95453:13
    at String.replace (<anonymous>)

More info here

@muhamedsk muhamedsk self-assigned this Jun 2, 2026
@muhamedsk muhamedsk requested review from KlausNie and nasirky June 2, 2026 13:38
@muhamedsk muhamedsk force-pushed the add-node-token-in-vulnerability-and-outdated-report branch from 9de1171 to 9cea6ea Compare June 2, 2026 13:39
@KlausNie
Copy link
Copy Markdown
Member

KlausNie commented Jun 3, 2026

hmm... could be tricky

@KlausNie
Copy link
Copy Markdown
Member

KlausNie commented Jun 3, 2026

@muhamedsk seeing as @nasirky is very busy atm, it might be good, that you investigate a fix for that yourself. @nasirky do you disagree?

@muhamedsk
Copy link
Copy Markdown
Author

muhamedsk commented Jun 3, 2026

@KlausNie this is blocking me from running the reports in BSI projects (and creating the TRDP reports). I am not sure, but seems like the solution to this should live in actions repo.

@muhamedsk seeing as @nasirky is very busy atm, it might be good, that you investigate a fix for that yourself. @nasirky do you disagree?

@KlausNie
Copy link
Copy Markdown
Member

KlausNie commented Jun 3, 2026

@KlausNie this is blocking me from running the reports in BSI projects (and creating the TRDP reports). I am not sure, but seems like the solution to this should live in actions repo.

@muhamedsk seeing as @nasirky is very busy atm, it might be good, that you investigate a fix for that yourself. @nasirky do you disagree?

I agree! As Nasir is on vacation, we'll have to find a solution. Or this needs to wait until Nasir is back. Either way, I won't have the time to find a solution to this in the next weeks. So my suggestion is, you look into it

@muhamedsk
Copy link
Copy Markdown
Author

muhamedsk commented Jun 3, 2026

hmm... could be tricky

@KlausNie what exactly are your considerations? That env should be present only during that concrete step. That is only needed during yarn install. The actual yarn install --frozen-lockfile that authenticates against GitHub Packages happens inside generate-yarn-report.sh, which is a child process of the last shell step, the one where we set NODE_AUTH_TOKEN.

Since next steps don't inherit env block of the concrete step that we added the NODE_AUTH_TOKEN, we should be fine?

@KlausNie
Copy link
Copy Markdown
Member

KlausNie commented Jun 3, 2026

hmm... could be tricky

@KlausNie what exactly are your considerations? That env should be present only during that concrete step. That is only needed during yarn install. The actual yarn install --frozen-lockfile that authenticates against GitHub Packages happens inside generate-yarn-report.sh, which is a child process of the last shell step, the one where we set NODE_AUTH_TOKEN.

Since next steps don't inherit env block of the concrete step that we added the NODE_AUTH_TOKEN, we should be fine?

I haven't looked into it. I just felt like it could be difficult to get that to work

@muhamedsk
Copy link
Copy Markdown
Author

muhamedsk commented Jun 3, 2026

hmm... could be tricky

@KlausNie what exactly are your considerations? That env should be present only during that concrete step. That is only needed during yarn install. The actual yarn install --frozen-lockfile that authenticates against GitHub Packages happens inside generate-yarn-report.sh, which is a child process of the last shell step, the one where we set NODE_AUTH_TOKEN.
Since next steps don't inherit env block of the concrete step that we added the NODE_AUTH_TOKEN, we should be fine?

I haven't looked into it. I just felt like it could be difficult to get that to work

@KlausNie My idea is trying this out, by first merging, and then try running the dependency report workflow in:

  • repos that use internal qb packages (that need node auth token env)
  • repos that don't use them

If both work, then we should be fine!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasirky nasirky Awaiting requested review from nasirky

@KlausNie KlausNie Awaiting requested review from KlausNie

At least 1 approving review is required to merge this pull request.

Assignees

@muhamedsk muhamedsk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@muhamedsk @KlausNie