From ccf5dab90b13bdd3cca59f68997e40e101d9adfa Mon Sep 17 00:00:00 2001
From: leefanv <leefanv@gmail.com>
Date: Mon, 11 May 2026 16:51:53 +0800
Subject: [PATCH] ci(release): add npm whoami verification before build
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Surfaces NPM_TOKEN problems early instead of waiting for the first
real publish to fail. Three failure modes the new step catches:

- NPM_TOKEN secret never set → explicit ::error:: with setup hint
- Token expired / revoked → npm whoami returns 401/403
- Token wrong scope → npm whoami returns 403

No-op when everything's healthy (1 line of log).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1b04d34..fd9db54 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -46,6 +46,18 @@ jobs:
       - name: Install
         run: bun install
 
+      - name: Verify npm auth
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          if [ -z "${NODE_AUTH_TOKEN:-}" ]; then
+            echo "::error::NPM_TOKEN secret is not set — add it under Settings → Secrets → Actions"
+            exit 1
+          fi
+          # npm whoami 用 ~/.npmrc 里的 token 拉用户名；token 错的话会 401/403
+          whoami=$(npm whoami)
+          echo "✓ npm authenticated as: $whoami"
+
       - name: Build all packages
         run: bun run build