I am working on a pipeline to install npm packages using GitHub Actions, I am getting this error:
npm ERR! code EUSAGE
npm ERR!
npm ERR! The `npm ci` command can only install with an existing package-lock.json or
npm ERR! npm-shrinkwrap.json with lockfileVersion >= 1. Run an install with npm@5 or
npm ERR! later to generate a package-lock.json file, then try again.
npm ERR!
npm ERR! Clean install a project
npm ERR!
npm ERR! Usage:
npm ERR! npm ci
npm ERR!
npm ERR! Options:
npm ERR! [--no-audit] [--foreground-scripts] [--ignore-scripts]
npm ERR! [--script-shell <script-shell>]
npm ERR!
npm ERR! aliases: clean-install, ic, install-clean, isntall-clean
npm ERR!
npm ERR! Run "npm help ci" for more info
npm ERR! A complete log of this run can be found in:
npm ERR! /home/runner/.npm/_logs/2022-09-09T06_53_34_562Z-debug-0.log
Error: Process completed with exit code 1.
My pipeline looks like this :
name: Veracode frontend Scan
on:
workflow_dispatch:
jobs:
veracode:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-node@v3
with:
node-version: 16
- run: npm ci
If anyone can help me out, I am not sure where I am going wrong.
CodePudding user response:
Check first if this is related to actions/setup-node
issue 498 or PR 103
The npm-ci
command does mention:
The main differences between using
npm install
andnpm ci
are:
- The project must have an existing
package-lock.json
ornpm-shrinkwrap.json
.- If dependencies in the package lock do not match those in
package.json
,npm ci
will exit with an error, instead of updating the package lock.- ...
Make sure:
- your
npm
project does create apackage-lock.json
(which it should by default) - it is not ignored (
.gitignore
) and is part of your repository codebase.
As noted here:
Running
npm install
for a CI/CD is fundamentally flawed.
It might be acceptable for running tests, but if you rely on reproducible results, you cannot and must not usenpm install
.The problem is that
npm install
will choose whatever version is the newest and that still matches your semver range specified inpackage.json
.
This often works well for some time, but if you suddenly get burned by a broken dependency introduced through a patch release, you potentially will spend hours trying to figure out which exact version you used before.Without a
package-lock.json
you have zero traceability and virtually no chance of reproducing the exact previous build ever again.
Quite frankly, anybody suggested otherwise never had to deal with a broken production build because a fricking dev dependency broke on the CI/CD side.
CodePudding user response:
Seems you miss to checkout the code first, just add the actions/checkout step, as example:
name: Veracode frontend Scan
on:
workflow_dispatch:
jobs:
veracode:
runs-on: ubuntu-latest
steps:
- actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
- run: npm ci