Struggling to use dpl v2 encrypted npm token

I’ve been trying for weeks to get a continuous deployment to npm working. I’ve looked through countless issues, searched this forum, struggled through getting the CLI to encrypt the variable, and tried every permutation of the configuration I can think of.

I’ve tried using the CLI to encrypt the token, adding it as a global NPM_API_TOKEN environment variable and as a secure value to the api_token option of the provider. I tried so many ways to encrypt it, struggling through issues with getting the CLI to authenticate. So. many. issues.

Finally, I’m just putting the secret in through the UI as NPM_API_TOKEN.

I can’t say what’s happening, but I think something is wrong with the way the secret is injected. The logs show this:

Authenticated with API token [secure]

But from what I see in the dpl test builds and from the interpolation code in dpl, I think this should be showing something more like:

Authenticated with API token 1e**************

So, something is wrong here and I think the literal value “[secure]” is getting placed into the .npmrc file.

Here’s a recent build showing the issue: Travis CI - Test and Deploy with Confidence

I’m at my wits’ end here. Can anyone show me what I’m doing wrong?

Why do you say I’m not using dpl v2? I followed those instructions, I added “edge: true”, and the build log shows the v2 gem being installed.

I tried printing the token, in whole rather than in part, and see only the literal string “[secure]”. I’m not sure if all log messages are filtered to prevent disclosure, even when I cat the npmrc file myself in my deploy script. Again, from my reading of the dpl v2 code the secure interpolation output seems like it should be using **** instead of “[secure]”.

Additionally, the script does seem to run my custom npm publish command, and support for a custom publish command with the npm provider doesn’t seem to exist in dpl v1.

So, again, I’m fairly certain I’m using v2, I’m somewhat convinced I’m seeing output that shows the literal value “[secure]” may be the value of the environment variable, rather than the decrypted value, and I’m at a loss for how to debug this.

The parts from that post relevant to you are only to check token permissions and print parts of it.

That’s exactly why I suggested to print a part of it. The output filter would censor any output that’s equal to one of the secret values, but not a part thereof.

My apologies. I was so convinced by the log output I saw in the CI runs for dpl itself and the code in the interpolation module that I was convinced I should be seeing asterisks instead of “[secure]”. But, you were right. My token is fine. I should have been less confident.

It actually ended up that there was a problem with my tooling. Lerna tries to read user info to log the npm identity before publishing, but automation tokens are write only for npm, it seems. Resolved with a --no-verify-access flag in my lerna invocation.

1 Like