📝 docs: clarify NATIVEWIND token export for bun install#2225
Conversation
Bun reads bunfig.toml at startup, so env vars set inside the preinstall hook never reach the parent install process. The previous docs and configure-deps script implied the hook handled auth automatically, which caused silent 401s on `@packrat-ai/nativewindui`. - CLAUDE.md: rewrite Private Package Auth with accurate export patterns and troubleshooting for the "token set?" check. - configure-deps.ts: stop pretending to inject the var into the parent process; detect a missing token and print the exact fix command.
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
github-actions
Bot
added
documentation
There was a problem hiding this comment.
Pull request overview
Updates internal docs and the preinstall dependency-check script to reflect Bun’s bunfig.toml env var resolution behavior (token must be exported before bun install starts), preventing silent 401s when installing @packrat-ai/nativewindui.
Changes:
- Rewrite Private Package Auth docs with working token export patterns and troubleshooting.
- Update
.github/scripts/configure-deps.tsto stop attempting to set env vars duringpreinstalland instead fail fast with actionable instructions. - Preserve CI behavior by requiring
PACKRAT_NATIVEWIND_UI_GITHUB_TOKENto be present.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
CLAUDE.md |
Clarifies required token export timing/patterns for Bun + GitHub Packages and adds troubleshooting. |
.github/scripts/configure-deps.ts |
Converts preinstall script to an early missing-token detector with fix instructions rather than env injection. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| console.error('1. Install GitHub CLI: https://cli.github.com'); | ||
| console.error('2. Authenticate: gh auth login'); | ||
| console.error('3. Add packages scope: gh auth refresh -h github.com -s read:packages'); | ||
| console.error(`4. Then export ${TOKEN_VAR}=$(gh auth token) and re-run bun install.`); |
There was a problem hiding this comment.
The local error path when gh is missing/not authenticated only suggests installing/authing gh, but doesn’t mention the supported fallback of setting PACKRAT_NATIVEWIND_UI_GITHUB_TOKEN directly (e.g., a PAT with read:packages). This is a regression from the previous behavior and also contradicts the PR description (“missing-gh path preserved”). Consider updating the message to include the manual env-var option so non-gh environments aren’t blocked.
| console.error('1. Install GitHub CLI: https://cli.github.com'); | |
| console.error('2. Authenticate: gh auth login'); | |
| console.error('3. Add packages scope: gh auth refresh -h github.com -s read:packages'); | |
| console.error(`4. Then export ${TOKEN_VAR}=$(gh auth token) and re-run bun install.`); | |
| console.error('You can fix this in either of these ways:\n'); | |
| console.error('1. Use GitHub CLI'); | |
| console.error(' - Install GitHub CLI: https://cli.github.com'); | |
| console.error(' - Authenticate: gh auth login'); | |
| console.error(' - Add packages scope: gh auth refresh -h github.com -s read:packages'); | |
| console.error(` - Then export ${TOKEN_VAR}=$(gh auth token) and re-run bun install.\n`); | |
| console.error('2. Set the token manually'); | |
| console.error(` - Export ${TOKEN_VAR} directly in your shell before running bun install`); | |
| console.error(' - For example, use a GitHub PAT with the read:packages scope'); |
| ### Troubleshooting | ||
|
|
||
| - **401 on `@packrat-ai/nativewindui`**: `PACKRAT_NATIVEWIND_UI_GITHUB_TOKEN` isn't exported in the parent shell, or the token lacks `read:packages`. Confirm with `echo ${PACKRAT_NATIVEWIND_UI_GITHUB_TOKEN:+set}` — it must print `set`. | ||
| - The `preinstall` hook (`bun run configure:deps`) only *validates* auth. It cannot inject env vars into the parent `bun install` process. |
There was a problem hiding this comment.
The troubleshooting note says the preinstall hook “only validates auth”, but the updated configure-deps.ts no longer validates that the token works—it only checks that the env var is present (and checks gh auth status only when the var is missing). Consider rewording this bullet to match the current behavior, or add an explicit validation step if that’s still desired.
| - The `preinstall` hook (`bun run configure:deps`) only *validates* auth. It cannot inject env vars into the parent `bun install` process. | |
| - The `preinstall` hook (`bun run configure:deps`) only checks for auth configuration (for example, that `PACKRAT_NATIVEWIND_UI_GITHUB_TOKEN` is set, or `gh` auth is available when the env var is missing). It cannot inject env vars into the parent `bun install` process. |
| const ghStatus = await $`gh auth status`.quiet().nothrow(); | ||
| async function configureDeps() { | ||
| if (process.env[TOKEN_VAR]) { | ||
| console.log(`✓ ${TOKEN_VAR} is set — bun install will authenticate to GitHub Packages`); |
There was a problem hiding this comment.
The success message asserts that bun install will authenticate, but this script doesn’t actually validate the token against GitHub Packages—only that the env var is non-empty. Consider softening the wording (e.g., “token is set”) or adding a lightweight validation if you want the message to be strictly accurate.
| console.log(`✓ ${TOKEN_VAR} is set — bun install will authenticate to GitHub Packages`); | |
| console.log(`✓ ${TOKEN_VAR} is set — bun install can use it to authenticate to GitHub Packages`); |
Bun auto-loads .env.local before `bun install`, so the token can live alongside other secrets. Demoted the shell-export approach to an alternative path.
Summary
bunfig.tomlat startup, so thepreinstallhook cannot injectPACKRAT_NATIVEWIND_UI_GITHUB_TOKENinto the parent install process. The prior docs +configure-deps.tsimplied the opposite, leading to silent 401s on@packrat-ai/nativewindui.CLAUDE.md— rewrote Private Package Auth with the three working export patterns (inline, one-liner, persistent in shell rc) plus troubleshooting for verifying the var is set..github/scripts/configure-deps.ts— no longer pretends to set the var on the parent process; detects a missing token and prints the exact fix command. CI path and missing-ghpath preserved.The fix for users
Test plan
bun run configure:depswith var set → prints successbun run configure:depswithout var → prints actionable error with exact commandsbun install --dry-runwith export succeeds; without it fails 401 (confirms root cause)