diag(release): v0.14.5 — keigit auth diagnostic step before publish

v0.14.4 failed with same 401 despite local-probe showing path-scoped + Basic-auth fallback work. Adding a diagnostic step BEFORE publish: - npm whoami against keigit - curl Bearer probe (read endpoint /api/v1/user) - curl PUT probe (publish endpoint with empty body) - npm config dump (registry resolution) Will reveal: - Whether token actually authenticates from runner network - Whether npm correctly resolves @keisei:registry to keigit URL - Whether something in CI environment is rewriting/blocking the auth header Bump 0.14.4 → 0.14.5 to trigger fresh release run. [FROM-JOURNAL: this session — local probe confirms .npmrc form works, CI rejects with 401, narrowing to runner-environment issue] Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 01:03:39 +08:00 · 2026-05-04 01:03:39 +08:00 · 0c3584d9ee
commit 0c3584d9ee
parent 8a885a7d76
3 changed files with 37 additions and 2 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -365,6 +365,41 @@ jobs:
          # Sanity (no secrets in log — print only registry lines):
          grep -vE "_authToken|_password|username|email" .npmrc || true

+      # v0.14.5 diagnostic: verify the .npmrc-resolved auth actually works
+      # AGAINST keigit from the runner network. Local probes confirmed Bearer
+      # and Basic both auth-OK, but CI publish gets 401 — narrow root cause.
+      - name: Diagnose keigit auth from runner
+        if: steps.have_token.outputs.present == '1'
+        working-directory: _ts_packages
+        env:
+          KEIGIT_TOKEN: ${{ secrets.KEIGIT_TOKEN }}
+        run: |
+          set +e
+          echo "::group::npm whoami probe"
+          npm whoami --registry=https://keigit.com/api/packages/keisei/npm/ 2>&1 | head -10
+          echo "::endgroup::"
+          echo "::group::curl Bearer probe (read endpoint)"
+          curl -sS -m 10 -H "Authorization: Bearer ${KEIGIT_TOKEN}" \
+            -o /dev/null -w "HTTP %{http_code}\n" \
+            https://keigit.com/api/v1/user
+          echo "::endgroup::"
+          echo "::group::curl PUT probe (publish endpoint with empty body)"
+          curl -sS -m 10 -X PUT \
+            -H "Authorization: Bearer ${KEIGIT_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -o /tmp/probe-resp -w "HTTP %{http_code}\n" \
+            "https://keigit.com/api/packages/keisei/npm/@keisei%2Fci-probe-noop" \
+            -d '{}'
+          echo "Response (first 200 chars):"
+          head -c 200 /tmp/probe-resp 2>/dev/null
+          echo "::endgroup::"
+          echo "::group::npm config debug"
+          npm config get registry --workspaces=false
+          npm config get @keisei:registry --workspaces=false
+          npm config get -L user 2>&1 | head -20
+          echo "::endgroup::"
+          set -e
+
      - name: Install deps
        if: steps.have_token.outputs.present == '1'
        working-directory: _ts_packages
--- a/_ts_packages/package-lock.json
+++ b/_ts_packages/package-lock.json
@ -3707,7 +3707,7 @@
    },
    "packages/mcp-server": {
      "name": "@keisei/mcp-server",
-      "version": "0.14.4",
+      "version": "0.14.5",
      "license": "Apache-2.0",
      "dependencies": {
        "@modelcontextprotocol/sdk": "^1.0.0",
--- a/_ts_packages/packages/mcp-server/package.json
+++ b/_ts_packages/packages/mcp-server/package.json
@ -1,6 +1,6 @@
 {
  "name": "@keisei/mcp-server",
-  "version": "0.14.4",
+  "version": "0.14.5",
  "description": "MCP server exposing KeiSeiKit Rust primitives as Model Context Protocol tools — published to keigit.com (Forgejo npm registry, public DNS)",
  "type": "module",
  "main": "./dist/index.js",