Symptom
`publish.yml` ran on the `v0.29.0` tag push (commit `28d036c`) and failed at the `Publish to npm (skip if already published)` step. Re-running the failed job reproduced the same error:
```
npm error code E404
npm error 404 Not Found - PUT https://registry.npmjs.org/@tangle-network%2fagent-integrations - Not found
npm error 404
npm error 404 '@tangle-network/agent-integrations@0.29.0' is not in this registry.
```
Workflow runs:
Root cause
npm returns `404 Not Found` on a PUT to an existing package's URL when the token presenting the request lacks publish permission for the scope (npm uses 404 instead of 403 for auth failures, "security through obscurity").
The package exists (latest dist-tag was 0.28.0 before this release) and the package.json + publishConfig + workflow file are unchanged from the successful 0.28.0 publish on May 14. Only thing that changed: the `NPM_TOKEN` repo secret is no longer authorized.
Most likely: the granular access token expired or was rotated externally between May 14 and May 23.
Resolution this round
Published 0.29.0 manually from a maintainer machine (drewstone, listed in npm maintainers):
```bash
cd ~/webb/agent-integrations
git checkout v0.29.0
pnpm install --frozen-lockfile
pnpm run typecheck # ✓
pnpm run test # 364/364 pass
pnpm run build # ✓
pnpm exec npm publish --access public
→ +@tangle-network/agent-integrations@0.29.0
```
Verified live: `curl -s https://registry.npmjs.org/@tangle-network/agent-integrations/0.29.0\` returns the published tarball URL.
Next-release blocker (this issue)
Before tagging `v0.30.0` or any subsequent release, rotate the `NPM_TOKEN` repo secret (Settings → Secrets and variables → Actions → `NPM_TOKEN`). Options:
- Granular access token (preferred) — npm dashboard → Access Tokens → New → Granular → scope to `@tangle-network/agent-integrations` package, publish + read. Set 365-day expiry. Update the repo secret.
- Trusted publishing via OIDC — the workflow already has `permissions: id-token: write`. Configure npm trusted publishing on the package side (docs) and drop `NPM_TOKEN` entirely. Most resilient long-term.
Either way, verify by:
```bash
gh workflow run publish.yml --ref main
wait for run; should pass the auth check even without a real tag (will skip publish via the existing idempotency guard)
```
Why this matters
The publish workflow is the single source of truth for npm releases. Manual publishes work but bypass the verify gate (typecheck + test + build run in CI on a clean ubuntu-latest, not on a maintainer's laptop where local tsc/pnpm versions might drift). Get the CI path back to green before the next release.
Symptom
`publish.yml` ran on the `v0.29.0` tag push (commit `28d036c`) and failed at the `Publish to npm (skip if already published)` step. Re-running the failed job reproduced the same error:
```
npm error code E404
npm error 404 Not Found - PUT https://registry.npmjs.org/@tangle-network%2fagent-integrations - Not found
npm error 404
npm error 404 '@tangle-network/agent-integrations@0.29.0' is not in this registry.
```
Workflow runs:
Root cause
npm returns `404 Not Found` on a PUT to an existing package's URL when the token presenting the request lacks publish permission for the scope (npm uses 404 instead of 403 for auth failures, "security through obscurity").
The package exists (latest dist-tag was 0.28.0 before this release) and the package.json + publishConfig + workflow file are unchanged from the successful 0.28.0 publish on May 14. Only thing that changed: the `NPM_TOKEN` repo secret is no longer authorized.
Most likely: the granular access token expired or was rotated externally between May 14 and May 23.
Resolution this round
Published 0.29.0 manually from a maintainer machine (drewstone, listed in npm maintainers):
```bash
cd ~/webb/agent-integrations
git checkout v0.29.0
pnpm install --frozen-lockfile
pnpm run typecheck # ✓
pnpm run test # 364/364 pass
pnpm run build # ✓
pnpm exec npm publish --access public
→ +@tangle-network/agent-integrations@0.29.0
```
Verified live: `curl -s https://registry.npmjs.org/@tangle-network/agent-integrations/0.29.0\` returns the published tarball URL.
Next-release blocker (this issue)
Before tagging `v0.30.0` or any subsequent release, rotate the `NPM_TOKEN` repo secret (Settings → Secrets and variables → Actions → `NPM_TOKEN`). Options:
Either way, verify by:
```bash
gh workflow run publish.yml --ref main
wait for run; should pass the auth check even without a real tag (will skip publish via the existing idempotency guard)
```
Why this matters
The publish workflow is the single source of truth for npm releases. Manual publishes work but bypass the verify gate (typecheck + test + build run in CI on a clean ubuntu-latest, not on a maintainer's laptop where local tsc/pnpm versions might drift). Get the CI path back to green before the next release.