From a9b28729e5b4b169eb2a8fde91a8cad88fa787ea Mon Sep 17 00:00:00 2001
From: Asher <ash@coder.com>
Date: Wed, 6 Nov 2024 12:45:04 -0900
Subject: [PATCH] Use literal ${NPM_TOKEN} in npm auth

This is not supposed to be the token, but the literal value that is then
replaced by npm.

Probably does not make a difference, but the docs are clear on *not*
putting a token in this file.

The docs also say to put it in the project root.

Also adding some lines to debug what runs.
---
 ci/steps/publish-npm.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ci/steps/publish-npm.sh b/ci/steps/publish-npm.sh
index 58f625c84417..3c5b2542fdf9 100755
--- a/ci/steps/publish-npm.sh
+++ b/ci/steps/publish-npm.sh
@@ -46,7 +46,10 @@ main() {
 
   # This allows us to publish to npm in CI workflows
   if [[ ${CI-} ]]; then
-    echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
+    echo "Adding NPM_TOKEN to .npmrc"
+    # This is meant to be the literal value of ${NPM_TOKEN}, not the actual
+    # token itself.
+    echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' >> .npmrc
   fi
 
   ## Environment
@@ -142,6 +145,7 @@ main() {
 
   # Since the dev builds are scoped to @coder
   # We pass --access public to ensure npm knows it's not private.
+  echo "Publishing version $NPM_VERSION with tag $NPM_TAG"
   npm publish --non-interactive release --tag "$NPM_TAG" --access public
 }