[MAINT]: NPM releases failing due to OTP token (2FA) requirements

[wolfy1339]

Moving the discussion from octokit/openapi#483 (comment)

The release workflow is failing because the token suddenly needs a one-time passcode (2FA).

https://github.com/octokit/openapi/actions/runs/13790432706/job/38568599440

npm error code EOTP
npm error This operation requires a one-time password from your authenticator.
npm error You can provide a one-time password by passing --otp=<code> to the command you ran.
npm error If you already provided a one-time password then it is likely that you either typoed
npm error it, or it timed out. Please try again.
npm error A complete log of this run can be found in: /home/runner/.npm/_logs/2025-03-11T14_28_01_144Z-debug-0.log

[gr2m]

I'll have a look today, I think that should be a straightforward fix

[gr2m]

Ah I'm sorry I mixed up OTP with provenance attestation 🤦🏼 it was pre-coffee ☕

So it seems that the @octokit org on npm now enforces one-time passwords for publishing, which breaks our automated release workflow. I don't know when that happened or why. I'll try to find out but @nickfloyd might know more

[gr2m]

I don't see a setting for it on npm. I reached out to the npm team for help

[gr2m]

The current token we use is 5 years old, maybe updating it will resolve the problem. But I don't have access to the octokitbot npm account. @nickfloyd can you look into it?

I can try to use a token of mine for testing, but will wait on what the @octokit maintainers suggest

[nickfloyd]

I've just regenerated the token for automation and added it to the org. I am re running the job now.

[wolfy1339]

Re-running the job won't work since the release was already tagged on GitHub.
A new release needs to be triggered

[gr2m]

if that happens, we can delete the tag and release notes for it manually, then re-run

[nickfloyd]

Re-running the job won't work since the release was already tagged on GitHub. A new release needs to be triggered

Great point. I can't do that at the moment but I'll try to get to it after I get through my meetings unless one of y'all get to it first.

[gr2m]

I don't see a tag for 18.2.0 though?

[gr2m]

ah sorry I misunderstood, the 18.1.0 tag is the one that needs to be deleted, let me try that.

[oscard0m]

I'm around in case you need help testing something 👋🏽

[wolfy1339]

The release didn't trigger because it's behind the latest commit on the branch.

octokit/openapi#484 once merged should get it to trigger. It's having trouble with the update dry-run test not getting triggered

[gr2m]

Hmm failed again

npm error code EOTP

https://github.com/octokit/openapi/actions/runs/13790432706/job/38568599440#step:5:191

I learned that 2FA can be enforced on a package level, but it's not enabled for @octokit/openapi:

There is some information from people who ran into this problem in the past: semantic-release/npm#209

@nickfloyd just making sure, you created a classic token with type:automation, correct?

[nickfloyd]

@nickfloyd just making sure, you created a classic token with type:automation, correct?

Yes.. updated the OCTOKITBOT_NPM_TOKEN in the org environment / actions secrets

[gr2m]

okay we figured it out, the 2FA setting was enabled for both authorization and publishing. @nickfloyd changed it to just authorization, and the release now worked via https://github.com/octokit/openapi/actions/runs/13917749582/job/38991546989

https://github.com/octokit/openapi/releases/tag/v18.1.0