feat: SW-1779 add install-jfrog-npm-package composite action#29
Open
owilliams-tetrascience wants to merge 1 commit into
Open
feat: SW-1779 add install-jfrog-npm-package composite action#29owilliams-tetrascience wants to merge 1 commit into
owilliams-tetrascience wants to merge 1 commit into
Conversation
Add a composite action that installs a single npm package published only to a private JFrog Artifactory registry, as a leaf tarball extracted into an already-installed node_modules. This centralizes a pattern otherwise duplicated inline across repos (e.g. ts-lib-ui-kit's two Zephyr workflows and several data-app repos): packages that can't be added to package.json/yarn.lock — because the repo pins the public npm registry and a private dep would break external `yarn install` — are fetched via `npm pack` and extracted in place. It deliberately avoids `npm install`, which reconciles the whole tree and corrupts a Yarn-managed node_modules (ENOTEMPTY rmdir node_modules/<pkg>/dist). Inputs: package, version, registry-url, auth, auth-type (_auth | _authToken, default _auth). Host normalization strips scheme + trailing slash so the auth line is always //<host>/:<field>=... regardless of URL format. Refs: SW-1779 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR adds a reusable composite GitHub Action to install a single private JFrog-hosted npm package into an already-existing node_modules (without running npm install), and documents its usage in the repo README to centralize a repeated workflow pattern used across multiple repositories.
Changes:
- Adds
install-jfrog-npm-packagecomposite action that fetches a package vianpm packand extracts it intonode_modules/<package>. - Documents the new composite action (usage + inputs) in
README.mdand adds it to the TOC.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| README.md | Adds an “Actions” section documenting the new composite action and how to use it. |
| install-jfrog-npm-package/action.yml | Implements the composite action to fetch/extract a private JFrog-only npm package as a leaf tarball. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+46
to
+53
| if [ ! -d node_modules ]; then | ||
| echo "::error::node_modules not found — run this action AFTER 'yarn install'." | ||
| exit 1 | ||
| fi | ||
| case "$AUTH_TYPE" in | ||
| _auth | _authToken) ;; | ||
| *) echo "::error::auth-type must be '_auth' or '_authToken' (got '$AUTH_TYPE')."; exit 1 ;; | ||
| esac |
Comment on lines
+54
to
+68
| # Normalize the host: strip scheme and any trailing slash so the auth | ||
| # line is always `//<host>/:<field>=...` regardless of whether the | ||
| # registry URL ends with a slash (npm requires the `/` before the field). | ||
| host="${REGISTRY_URL#https://}"; host="${host#http://}"; host="${host%/}" | ||
| npmrc="$RUNNER_TEMP/.npmrc-jfrog" | ||
| printf 'registry=%s\n//%s/:%s=%s\nalways-auth=true\n' \ | ||
| "$REGISTRY_URL" "$host" "$AUTH_TYPE" "$AUTH" > "$npmrc" | ||
| tgz=$(npm pack "${PACKAGE}@${VERSION}" --userconfig "$npmrc" --registry "$REGISTRY_URL") | ||
| # `mkdir -p node_modules/<package>` also creates the @scope dir for | ||
| # scoped packages (node_modules/@scope/name). | ||
| rm -rf "node_modules/${PACKAGE}" | ||
| mkdir -p "node_modules/${PACKAGE}" | ||
| tar -xzf "$tgz" -C "node_modules/${PACKAGE}" --strip-components=1 | ||
| rm -f "$npmrc" "$tgz" | ||
| echo "Installed ${PACKAGE}@${VERSION} into node_modules/${PACKAGE}" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a composite action,
install-jfrog-npm-package, that installs a single npm package published only to a private JFrog Artifactory registry — as a leaf tarball extracted into an already-installednode_modules.Why
Several repos need a private, JFrog-only package but pin the public npm registry, so the package can't go in
package.json/yarn.lock(it would break external contributors'yarn installand the public-publish path). Today they each inline the same workaround. The most recent case ists-lib-ui-kit#161 (SW-1779), which installsts-lib-zephyr-nodejsin its two Zephyr workflows; the data-app repos do the same ad hoc.This centralizes the pattern — including two non-obvious gotchas — in one reviewed place:
npm install.npm install --no-save <pkg>reconciles the entire dependency tree and corrupts a Yarn-4-managednode_modules(observed:ENOTEMPTY: directory not empty, rmdir node_modules/<pkg>/dist). The action fetches only the one package vianpm packand extracts it in place, touching nothing else.//<host>/:<field>=…, working whether or not the registry URL ends with a slash.What's included
install-jfrog-npm-package/action.yml— composite action (used as a stepuses:, likecoverage-check), inputs:package,version,registry-url,auth,auth-type(_authdefault |_authToken).README.md— new Actions section documenting usage (must run afteryarn install) + inputs, and a TOC entry.Follow-up (separate PR, not here)
Once merged,
ts-lib-ui-kit#161 will replace its two inline "Install ts-lib-zephyr-nodejs (JFrog)"run:steps with:🤖 Generated with Claude Code