fix: fix cf-pages gh pkgs sdk install

[alfetopito]

Summary

Fix cf-pages installation of gh pkgs sdk.

The way the npm auth token was configured previously did not work on cf-pages: https://dash.cloudflare.com/4a1862f09bd4939397c99f925ef3eeaf/pages/view/swap-dev/da5e2aa5-297e-4250-ac02-0d7b45f34992

Now the auth token is stored in a temp file.
Works for both vercel and cf-pages.

To Test

Vercel and cf-pages builds should succeed

Summary by CodeRabbit

• Chores
  • Enhanced package installation authentication and security handling
  • Updated locale strings and removed outdated translation entries
• Tests
  • Added comprehensive test coverage for installation authentication workflow and package configuration verification

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cowfi	Error		Jun 11, 2026 10:22am
explorer-dev	Ready	Preview	Jun 11, 2026 10:22am
storybook	Error		Jun 11, 2026 10:22am
swap-dev	Ready	Preview	Jun 11, 2026 10:22am
widget-configurator	Ready	Preview	Jun 11, 2026 10:22am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
cosmos	Ignored		Jun 11, 2026 10:22am
sdk-tools	Ignored	Preview	Jun 11, 2026 10:22am

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 7a2648e7-da8f-4f19-99af-d6a9429a218d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

The PR deactivates two unused translation strings and refactors the install script's GitHub Packages authentication mechanism. Instead of passing auth credentials via environment variables, the script now writes a temporary .npmrc file with 0o600 permissions, passes it to pnpm via npm_config_userconfig, and removes it after installation. New test coverage validates the temporary file creation, content, cleanup, and pnpm invocation.

Changes

Translation String Deactivation

Layer / File(s)	Summary
Deactivate bridging and fallback translations apps/cowswap-frontend/src/locales/en-US.po	Two translation entries ("Bridging without swapping…" and "Not yet supported") are marked obsolete by prefixing msgid/msgstr pairs with #~.

Install Script GitHub Packages Auth Refactor

Layer / File(s)	Summary
Add os import and update documentation tools/scripts/install.js	Import os module to support temporary directory creation; update runPnpmInstall docstring to reflect on-disk temporary npmrc instead of environment-variable-only auth.
Implement temporary npmrc creation, environment wiring, and cleanup tools/scripts/install.js	Refactor SDK-preview install to call createTempNpmrc(authToken), wire the returned path to childEnv.npm_config_userconfig, track the temp directory, and add finally-block cleanup via removeTempNpmrc(dir). Add helper functions to write scoped registry/auth lines to .npmrc with restrictive permissions and remove the temp directory recursively.
Add comprehensive tests for temporary npmrc auth handling tools/scripts/install.test.mjs, tools/scripts/install.js	Introduce node:test suite that executes install.js in a vm sandbox with mocked fs, child_process, os, and path; assert pnpm invocation, npmrc content/permissions, env.npm_config_userconfig wiring, and cleanup via rmSync. Include minimal path module (join, resolve) for sandbox support.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• cowprotocol/cowswap#7450: Modifies install tooling around GitHub Packages auth by creating temporary npm user config and wiring into pnpm install environment.
• cowprotocol/cowswap#7532: Changes GitHub Packages auth-token injection for SDK preview installs via temporary .npmrc and npm_config_userconfig with temp-file cleanup.
• cowprotocol/cowswap#7568: Modifies install.js GitHub Packages auth handling for pnpm install via temporary .npmrc approach.

Suggested reviewers

• Danziger
• shoom3301
• limitofzero

Poem

🐰 A temp npmrc hops through the script,
Auth tokens in files, no env slips,
Tests watch it dance—then poof, it's gone,
Cleanup complete by dawn! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: fix cf-pages gh pkgs sdk install' accurately describes the main change—fixing Cloudflare Pages GitHub Packages SDK installation.
Description check	✅ Passed	The description covers the Summary and To Test sections, but lacks Background information and does not follow the template structure with issue number, checkboxes, or detailed testing steps.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cf-pages-sdk-pkgs-build

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying explorer-dev with    Cloudflare Pages

Latest commit:	82457b6
Status:	✅  Deploy successful!
Preview URL:	https://e5f56652.explorer-dev-dxz.pages.dev
Branch Preview URL:	https://fix-cf-pages-sdk-pkgs-build.explorer-dev-dxz.pages.dev

View logs

[cloudflare-workers-and-pages]

Deploying swap-dev with    Cloudflare Pages

Latest commit:	82457b6
Status:	✅  Deploy successful!
Preview URL:	https://86f682be.swap-dev-5u6.pages.dev
Branch Preview URL:	https://fix-cf-pages-sdk-pkgs-build.swap-dev-5u6.pages.dev

View logs

[alfetopito]

This had no effect on cf-pages

[alfetopito]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

tools/scripts/install.test.mjs (1)

7-105: ⚡ Quick win

Add a failure-path cleanup case for the temp npmrc.

This only exercises the successful install path. The important guarantee added in install.js is the finally cleanup after execSync throws; without a test for that branch, a regression can leak the temp auth file without CI noticing.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/scripts/install.test.mjs` around lines 7 - 105, Add a test exercising
the failure path so the temp .npmrc is still cleaned up when execSync throws: in
the existing test block (or add a new it) change the
sandbox.require('child_process') stub so execSync throws an Error (e.g.,
execSync() { throw new Error('fail') }) and wrap vm.runInNewContext invocation
in a try/catch expecting that error; after catching, assert that writes contains
the temp .npmrc write and removals contains the temp dir removal (same
assertions as the success case). Use the same fakeFs, sandbox.process.env, and
checks of writes[0].path/content/options and removals[0].path/options to verify
finally cleanup ran.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@tools/scripts/install.test.mjs`:
- Around line 7-105: Add a test exercising the failure path so the temp .npmrc
is still cleaned up when execSync throws: in the existing test block (or add a
new it) change the sandbox.require('child_process') stub so execSync throws an
Error (e.g., execSync() { throw new Error('fail') }) and wrap vm.runInNewContext
invocation in a try/catch expecting that error; after catching, assert that
writes contains the temp .npmrc write and removals contains the temp dir removal
(same assertions as the success case). Use the same fakeFs, sandbox.process.env,
and checks of writes[0].path/content/options and removals[0].path/options to
verify finally cleanup ran.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: d12e1558-dd7a-405b-b491-b234d2174457

📥 Commits

Reviewing files that changed from the base of the PR and between 25bdb8e and 75f6cf7.

📒 Files selected for processing (3)

• apps/cowswap-frontend/src/locales/en-US.po
• tools/scripts/install.js
• tools/scripts/install.test.mjs