Fix auth setup for Yarn Berry

[Andarist]

1. this will also require changes in @changesets/cli to actually call Yarn when publishing
2. this is not compatible with Yarn Classic
3. this whole detection of an existing token in an existing user-level config file is wonky... perhaps we should just not do this at all here? maybe we should create changesets/action/setup-auth for those that don't use trusted publishing? the current approach doesn't even respect configuration options like npmrcAuthFile

[changeset-bot]

🦋 Changeset detected

Latest commit: e881258

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@changesets/action	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[beeequeue]

is there a big benefit from doing this compared to just using env vars?

if anything, storing the value in a file if we might not need to sounds like a bad idea

[Andarist]

I agree and I was under the impression that you kinda can't get away from storing it in .npmrc file. But, according to a fresh agent run, npm actually supports overlaying its configs with environment variables, so... this should work:

  let changesetPublishOutput = await getExecOutput(script, undefined, {
    cwd,
    ignoreReturnCode: true,
    env: {
      ...process.env,
      GITHUB_TOKEN: githubToken,
      ...(process.env.NPM_TOKEN && {
        "npm_config_//registry.npmjs.org/:_authToken": process.env.NPM_TOKEN,
      }),
    },
  });

I would have to test this out to ensure it works but this would be a great way of improving this (thanks for the pushback!).

That said:

• pnpm doesn't seem to support this. It might support it in older versions (pre v11) because it just delegated to the npm CLI for a bunch of this stuff, but v11 reimplements publishing and it doesn't seem to support this
• yarn classic supports YARN_AUTH_TOKEN and NPM_AUTH_TOKEN (yes, it supports an npm-named variable that npm itself doesn't support), and it also supports the weird npm_config_* shape too
• yarn berry supports YARN_NPM_AUTH_TOKEN

[beeequeue]

okay, so for yarn we can use env vars, but for pnpm and npm we need to write it to a file, i see.

pnpm still supports .npmrc for just auth, and it can also be put in ~/.config/pnpm/auth.ini or (i think) ~/.config/pnpm/rc

[bluwy]

3. this whole detection of an existing token in an existing user-level config file is wonky... perhaps we should just not do this at all here?

I think we should not do it at all. We have a lot of issues around the token handling, we should leave for actions/setup-node to handle this. A setup like this, passing NODE_AUTH_TOKEN to changesets/action would already work for npm and pnpm.

Yarn needs like this, like what you did in the PR with .yarnrc.yml. It's not great but we can document it. One of the super annoying things with yarn these days.

Plus, there's not a lot of reason to use tokens in CI these days with them having a short time limit.

---

But if you really prefer to have a better DX for yarn, then I'd prefer changesets/action/setup-auth instead