[FIXED] Github action script must install npm first to install packages yet others scripts don't require

Issue

This is a working script below. The part that bothers me though is this:

    - name: install npm
      run: npm i npm@latest
      working-directory: ./functions

I have to install the latest version of NPM because otherwise I get this error:

npm WARN read-shrinkwrap This version of npm is compatible with lockfileVersion@1, but package-lock.json was generated for lockfileVersion@2. I'll try to do my best with it!

Ignoring this error doesn’t install the npm packages I need to run my Firebase functions. I have other github action scripts that don’t need this sort of hand holding. What am I doing wrong here?

Full script:

name: Deploy to Firebase Functions

on:
  push:
    branches:
      - main
    # Optionally configure to run only for specific files. For example:
    paths:
    - "functions/**"

jobs:
  main:
    name: Deploy
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Use Node.js 14
      uses: actions/setup-node@v2
      with:
        node-version: '14'
    - name: install npm
      run: npm i npm@latest
      working-directory: ./functions
    - name: install libraries
      run: npm i
      working-directory: ./functions
    - name: install firebase
      run: npm i firebase-tools -g
    - name: deploy
      run: firebase deploy --only functions --token ${{ secrets.FIREBASE_FUNCTIONS_TOKEN }}
      working-directory: ./functions

Solution

The problem is, that the npm version, that generated package-lock.json is not compatible with the npm version that is included in Node.js V14.

First option could be using such Node.js version in the CI, that already contains such npm version that is compatible with lockfileVersion@2. However lockfileVersion@2 is supported from npm version 7, which is part of the latest Node.js version. Using an LTS version of Node is a better choice because of future security updates, so I would not recommend this option.

As second option the packgage-lock.json could be regenerated using a Node.js LTS version with npm V6. This way the lockfileVersion would be okay for the CI with Node version 14 (which is the LTS version right now). I think this is the best option.

As third option an idea is to try npm ci command, but I’m not sure, if this works in this case.

Answered By – Milan Tenk

Answer Checked By – Dawn Plyler (Easybugfix Volunteer)

Leave a Reply

(*) Required, Your email will not be published