From 0c3584d9eecd7acea01c5f9ba99d342a412fc5a7 Mon Sep 17 00:00:00 2001 From: Parfii-bot Date: Mon, 4 May 2026 01:03:39 +0800 Subject: [PATCH] =?UTF-8?q?diag(release):=20v0.14.5=20=E2=80=94=20keigit?= =?UTF-8?q?=20auth=20diagnostic=20step=20before=20publish?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit v0.14.4 failed with same 401 despite local-probe showing path-scoped + Basic-auth fallback work. Adding a diagnostic step BEFORE publish: - npm whoami against keigit - curl Bearer probe (read endpoint /api/v1/user) - curl PUT probe (publish endpoint with empty body) - npm config dump (registry resolution) Will reveal: - Whether token actually authenticates from runner network - Whether npm correctly resolves @keisei:registry to keigit URL - Whether something in CI environment is rewriting/blocking the auth header Bump 0.14.4 → 0.14.5 to trigger fresh release run. [FROM-JOURNAL: this session — local probe confirms .npmrc form works, CI rejects with 401, narrowing to runner-environment issue] Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release.yml | 35 +++++++++++++++++++ _ts_packages/package-lock.json | 2 +- _ts_packages/packages/mcp-server/package.json | 2 +- 3 files changed, 37 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 12cc95b..432b3bb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -365,6 +365,41 @@ jobs: # Sanity (no secrets in log — print only registry lines): grep -vE "_authToken|_password|username|email" .npmrc || true + # v0.14.5 diagnostic: verify the .npmrc-resolved auth actually works + # AGAINST keigit from the runner network. Local probes confirmed Bearer + # and Basic both auth-OK, but CI publish gets 401 — narrow root cause. + - name: Diagnose keigit auth from runner + if: steps.have_token.outputs.present == '1' + working-directory: _ts_packages + env: + KEIGIT_TOKEN: ${{ secrets.KEIGIT_TOKEN }} + run: | + set +e + echo "::group::npm whoami probe" + npm whoami --registry=https://keigit.com/api/packages/keisei/npm/ 2>&1 | head -10 + echo "::endgroup::" + echo "::group::curl Bearer probe (read endpoint)" + curl -sS -m 10 -H "Authorization: Bearer ${KEIGIT_TOKEN}" \ + -o /dev/null -w "HTTP %{http_code}\n" \ + https://keigit.com/api/v1/user + echo "::endgroup::" + echo "::group::curl PUT probe (publish endpoint with empty body)" + curl -sS -m 10 -X PUT \ + -H "Authorization: Bearer ${KEIGIT_TOKEN}" \ + -H "Content-Type: application/json" \ + -o /tmp/probe-resp -w "HTTP %{http_code}\n" \ + "https://keigit.com/api/packages/keisei/npm/@keisei%2Fci-probe-noop" \ + -d '{}' + echo "Response (first 200 chars):" + head -c 200 /tmp/probe-resp 2>/dev/null + echo "::endgroup::" + echo "::group::npm config debug" + npm config get registry --workspaces=false + npm config get @keisei:registry --workspaces=false + npm config get -L user 2>&1 | head -20 + echo "::endgroup::" + set -e + - name: Install deps if: steps.have_token.outputs.present == '1' working-directory: _ts_packages diff --git a/_ts_packages/package-lock.json b/_ts_packages/package-lock.json index f3fc877..75d68d3 100644 --- a/_ts_packages/package-lock.json +++ b/_ts_packages/package-lock.json @@ -3707,7 +3707,7 @@ }, "packages/mcp-server": { "name": "@keisei/mcp-server", - "version": "0.14.4", + "version": "0.14.5", "license": "Apache-2.0", "dependencies": { "@modelcontextprotocol/sdk": "^1.0.0", diff --git a/_ts_packages/packages/mcp-server/package.json b/_ts_packages/packages/mcp-server/package.json index 6ead684..32e0a51 100644 --- a/_ts_packages/packages/mcp-server/package.json +++ b/_ts_packages/packages/mcp-server/package.json @@ -1,6 +1,6 @@ { "name": "@keisei/mcp-server", - "version": "0.14.4", + "version": "0.14.5", "description": "MCP server exposing KeiSeiKit Rust primitives as Model Context Protocol tools — published to keigit.com (Forgejo npm registry, public DNS)", "type": "module", "main": "./dist/index.js",