ci+hooks: install @uipath/* from public npm via scope override

AlvinStanescu · claude · AlvinStanescu · commit 6ffbaf0f33b9 · 2026-04-27T18:23:16.000+03:00
The smoke pipelines wrote a `~/.npmrc` mapping `@uipath` to GitHub Packages and installed `@latest`. That feed publishes `1.0.0-alpha.YYYYMMDD.*` prereleases under the same dist-tag, so CI was silently picking up alpha builds rather than the public stable line (`@uipath/cli@0.9.0`, `@uipath/rpa-tool@0.9.0`, `@uipath/rpa-legacy-tool@0.9.0`). Switch all installs to public npm `@latest` and force the scope with `--@UiPath:registry=https://registry.npmjs.org/`. Plain `--registry=` does NOT bypass scope mappings — only the scope-specific override does. `hooks/ensure-uip.sh` gets the same flag so a user-side `~/.npmrc` scope mapping can't silently redirect the SessionStart install. The rpa-tool install also moves from `uip tools install` (which inherits the user's npm config) to `npm install -g` with the override, matching what CI does — `npm install -g` lands tools under `<npm-prefix>/@uipath/` where uipcli's ToolManager discovers them. The repo secret `GH_NPM_REGISTRY_TOKEN` is now unused; can be deleted from repo settings. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/smoke-rpa-skills.yml b/.github/workflows/smoke-rpa-skills.yml
@@ -107,33 +107,23 @@ jobs:
             --password "${{ secrets.UV_INDEX_UIPATH_PASSWORD }}" \
             --store-password-in-clear-text
 
-      # All @uipath/* npm packages come from GitHub Packages, not
-      # public npm. Configure the registry globally so `npm install -g`
-      # and uipcli's own `uip tools install` auto-install both route
-      # through GH Packages.
-      - name: Configure npm for GitHub Packages (@uipath)
-        shell: bash
-        env:
-          GH_NPM_REGISTRY_TOKEN: ${{ secrets.GH_NPM_REGISTRY_TOKEN }}
-        run: |
-          cat > ~/.npmrc <<NPMRC
-          @uipath:registry=https://npm.pkg.github.com
-          //npm.pkg.github.com/:_authToken=$GH_NPM_REGISTRY_TOKEN
-          NPMRC
-
-      # Install the CLI + RPA tools from GitHub Packages at the
-      # `latest` dist-tag. Each package follows its own version line
-      # (cli → 1.0.x, rpa-tool → 0.9.x, rpa-legacy-tool → 1.0.x), so
-      # `@latest` is simpler and more resilient than pinning a
-      # specific major.minor. `npm install -g` lands everything under
-      # `<npm-global-prefix>/@uipath/` — exactly where uipcli's
-      # ToolManager walks up to discover tools — so `uip rpa …` /
-      # `uip rpa-legacy …` work without triggering auto-install.
-      - name: Install uip CLI + RPA tools from GitHub Packages
+      # Install from public npm at @latest. The `--@uipath:registry=`
+      # flag forces the @uipath scope to public npm even if some
+      # `.npmrc` (runner image, user-level, or future setup-node config)
+      # maps it elsewhere — notably the internal GitHub Packages feed,
+      # which carries divergent 1.0.0-alpha.* prereleases under the
+      # same scope. Plain `--registry=` does NOT bypass scope mappings;
+      # only the scope-specific override does. `npm install -g` lands
+      # under `<npm-prefix>/@uipath/`, where uipcli's ToolManager
+      # discovers tools, so `uip rpa …` / `uip rpa-legacy …` resolve
+      # without triggering auto-install.
+      - name: Install uip CLI + RPA tools (public npm @latest)
         shell: bash
         run: |
           set -e
-          npm install -g @uipath/cli@latest @uipath/rpa-tool@latest @uipath/rpa-legacy-tool@latest
+          npm install -g \
+            --@uipath:registry=https://registry.npmjs.org/ \
+            @uipath/cli@latest @uipath/rpa-tool@latest @uipath/rpa-legacy-tool@latest
           uip --version
           uip tools list --output json
 
diff --git a/.github/workflows/smoke-skills.yml b/.github/workflows/smoke-skills.yml
@@ -178,20 +178,16 @@ jobs:
           UV_EXTRA_INDEX_URL: "https://${{ secrets.UV_INDEX_UIPATH_USERNAME }}:${{ secrets.UV_INDEX_UIPATH_PASSWORD }}@uipath.pkgs.visualstudio.com/_packaging/ml-packages/pypi/simple/"
         run: uv pip install --system .
 
-      # All @uipath/* npm packages come from GitHub Packages (where the
-      # UiPath CLI line is published), not public npm.
-      - name: Configure npm for GitHub Packages (@uipath)
-        env:
-          GH_NPM_REGISTRY_TOKEN: ${{ secrets.GH_NPM_REGISTRY_TOKEN }}
-        run: |
-          cat > ~/.npmrc <<NPMRC
-          @uipath:registry=https://npm.pkg.github.com
-          //npm.pkg.github.com/:_authToken=$GH_NPM_REGISTRY_TOKEN
-          NPMRC
-
-      - name: Install uip CLI from GitHub Packages
+      # Install from public npm at @latest. `--@uipath:registry=`
+      # forces the @uipath scope to public npm regardless of any
+      # `.npmrc` scope mapping (e.g., to the internal GitHub Packages
+      # feed, which carries divergent 1.0.0-alpha.* prereleases). See
+      # smoke-rpa-skills.yml for the full rationale.
+      - name: Install uip CLI (public npm @latest)
         run: |
-          npm install -g @uipath/cli@latest
+          npm install -g \
+            --@uipath:registry=https://registry.npmjs.org/ \
+            @uipath/cli@latest
           uip --version
 
       # Pre-auth uip via the CLI's documented env-var bypass so non-RPA
diff --git a/hooks/ensure-uip.sh b/hooks/ensure-uip.sh
@@ -65,41 +65,34 @@ ensure_npm() {
   fi
 }
 
+# Force the `@uipath` scope to public npm. If a user's `~/.npmrc` maps
+# `@uipath` to GitHub Packages (the internal feed), `latest` resolves
+# to a `1.0.0-alpha.*` prerelease instead of the public stable line.
+# `--registry=` does NOT bypass scope mappings — only the scope-specific
+# override does. Apply to `outdated` (registry lookup) and `install`;
+# `ls` reads disk and doesn't need it.
+UIPATH_REGISTRY_FLAG="--@uipath:registry=https://registry.npmjs.org/"
+
 # npm install -g always re-downloads and re-installs, even if the same version
 # is already present. This is slow for a synchronous session hook and also
 # re-triggers package lifecycle scripts. Check first, install only when needed.
 ensure_npm_package() {
   local pkg="$1"
 
   if npm ls -g "$pkg" --depth=0 &>/dev/null \
-     && [ -z "$(npm outdated -g "$pkg" 2>/dev/null)" ]; then
+     && [ -z "$(npm outdated -g "$pkg" $UIPATH_REGISTRY_FLAG 2>/dev/null)" ]; then
     echo "$pkg is already installed and up to date." >&2
     return
   fi
 
   echo "Installing or updating $pkg globally..." >&2
-  if ! npm install -g "$pkg" 2>&1; then
-    echo "Failed to install $pkg. Please run: npm install -g $pkg" >&2
-    exit 2
-  fi
-}
-
-ensure_uip_tool() {
-  local pkg="$1"
-  echo "Installing or updating uip tool ($pkg)..." >&2
-
-  local output
-  output="$(uip tools install "$pkg" 2>&1)"
-
-  if echo "$output" | grep -qi "error"; then
-    echo "Failed to install uip tool $pkg:" >&2
-    echo "$output" >&2
-    echo "Please run manually: uip tools install $pkg" >&2
+  if ! npm install -g $UIPATH_REGISTRY_FLAG "$pkg" 2>&1; then
+    echo "Failed to install $pkg. Please run: npm install -g $UIPATH_REGISTRY_FLAG $pkg" >&2
     exit 2
   fi
 }
 
 # ── main ─────────────────────────────────────────────────────────────
 ensure_npm
 ensure_npm_package @uipath/cli
-ensure_uip_tool @uipath/rpa-tool
+ensure_npm_package @uipath/rpa-tool
