From b3563abac1a28433f27a847a3ab39968150034d3 Mon Sep 17 00:00:00 2001
From: Aaron Kuehler <aaron.kuehler@powerhrg.com>
Date: Mon, 11 May 2026 17:21:27 -0400
Subject: [PATCH 1/2] Authenticate yarn install against npm.powerapp.cloud

The build job runs from GitHub-hosted runners whose egress IPs fall
outside the HAProxy LAN allowlist (10/8, 192.168/16, 172.16/12), so the
registry responds with 401 + Basic auth challenge for any unauthenticated
fetch from a tarball URL like https://npm.powerapp.cloud/...

Existing yarn.lock files in consumer repos historically resolved every
dep at registry.yarnpkg.com, so the build job never touched the internal
registry and the missing auth went unnoticed. Renovate now writes
lockfile entries with resolved: https://npm.powerapp.cloud/... (because
its own .npmrc, configured via powerhome/renovate-config, makes that the
default registry), which forces yarn install to authenticate.

The secret was already declared as required on this workflow but only
consumed by the release job; this wires it into the build job too via
setup-node's registry-url/always-auth and NODE_AUTH_TOKEN.
---
 .github/workflows/yarn-package.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/yarn-package.yml b/.github/workflows/yarn-package.yml
index 7a3f541..ab5d67a 100644
--- a/.github/workflows/yarn-package.yml
+++ b/.github/workflows/yarn-package.yml
@@ -36,8 +36,12 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node }}
+          registry-url: https://npm.powerapp.cloud
+          always-auth: true
       - run: yarn install --frozen-lockfile
         working-directory: ${{ inputs.workdir }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
       - run: yarn lint
         working-directory: ${{ inputs.workdir }}
       - run: yarn build

From 9c6669f8b4e189ebdf77cff531e513b904efaba8 Mon Sep 17 00:00:00 2001
From: Colton Gerke <colton.gerke@powerhrg.com>
Date: Tue, 12 May 2026 10:52:32 -0500
Subject: [PATCH 2/2] Try configuring basic auth via BASH/npmrc

---
 .github/workflows/license-compliance.yml | 19 +++++++++++++++++++
 .github/workflows/yarn-package.yml       | 18 ++++++++++++++----
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/license-compliance.yml b/.github/workflows/license-compliance.yml
index d8ddb98..e385a0a 100644
--- a/.github/workflows/license-compliance.yml
+++ b/.github/workflows/license-compliance.yml
@@ -1,5 +1,8 @@
 on:
   workflow_call:
+    secrets:
+      npm_token:
+        required: false
     inputs:
       workdir:
         required: false
@@ -14,6 +17,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+      - name: Enable npm.powerapp.cloud auth
+        shell: bash
+        env:
+          NPM_REGISTRY_PASSWORD: ${{ secrets.npm_token }}
+        run: |
+          if [ -z "$NPM_REGISTRY_PASSWORD" ]; then
+            exit 0
+          fi
+
+          auth="$(printf 'gh-actions:%s' "$NPM_REGISTRY_PASSWORD" | base64 | tr -d '\n')"
+          echo "::add-mask::$auth"
+          {
+            echo "registry=https://npm.powerapp.cloud"
+            echo "//npm.powerapp.cloud/:_auth=${auth}"
+            echo "//npm.powerapp.cloud/:always-auth=true"
+          } >> "${NPM_CONFIG_USERCONFIG:-$HOME/.npmrc}"
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
diff --git a/.github/workflows/yarn-package.yml b/.github/workflows/yarn-package.yml
index ab5d67a..5231aeb 100644
--- a/.github/workflows/yarn-package.yml
+++ b/.github/workflows/yarn-package.yml
@@ -36,12 +36,20 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node }}
-          registry-url: https://npm.powerapp.cloud
-          always-auth: true
+      - name: Enable npm.powerapp.cloud auth
+        shell: bash
+        env:
+          NPM_REGISTRY_PASSWORD: ${{ secrets.npm_token }}
+        run: |
+          auth="$(printf 'gh-actions:%s' "$NPM_REGISTRY_PASSWORD" | base64 | tr -d '\n')"
+          echo "::add-mask::$auth"
+          {
+            echo "registry=https://npm.powerapp.cloud"
+            echo "//npm.powerapp.cloud/:_auth=${auth}"
+            echo "//npm.powerapp.cloud/:always-auth=true"
+          } >> "${NPM_CONFIG_USERCONFIG:-$HOME/.npmrc}"
       - run: yarn install --frozen-lockfile
         working-directory: ${{ inputs.workdir }}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
       - run: yarn lint
         working-directory: ${{ inputs.workdir }}
       - run: yarn build
@@ -54,6 +62,8 @@ jobs:
     with:
       workdir: "${{ inputs.workdir }}"
       decisions: "${{ inputs.license-decisions }}"
+    secrets:
+      npm_token: ${{ secrets.npm_token }}
 
   release:
     needs: [build, license-compliance]