angular · jelbourn · Sep 10, 2019 · Sep 10, 2019 · devversion · Sep 10, 2019
diff --git a/tools/release/npm/npm-client.ts b/tools/release/npm/npm-client.ts
@@ -29,12 +29,13 @@ export function npmLoginInteractive(): boolean {
 }
 
 /** Runs NPM publish within a specified directory */
-export function npmPublish(packagePath: string, distTag: string): string | null {
-  const result = spawnSync('npm', ['publish', '--access', 'public', '--tag', distTag], {
-    cwd: packagePath,
-    shell: true,
-    env: npmClientEnvironment,
-  });
+export function npmPublish(packagePath: string, distTag: string, otp: string): string | null {
+  const result =
+      spawnSync('npm', ['publish', '--access', 'public', '--tag', distTag, '--otp', otp], {
+        cwd: packagePath,
+        shell: true,
+        env: npmClientEnvironment,
+      });
 
   // We only want to return an error if the exit code is not zero. NPM by default prints the
   // logging messages to "stdout" and therefore just checking for "stdout" is not reliable.

diff --git a/tools/release/prompt/npm-dist-tag-prompt.ts b/tools/release/prompt/npm-dist-tag-prompt.ts
@@ -24,6 +24,20 @@ export async function promptForNpmDistTag(version: Version): Promise<string> {
   return distTag;
 }
 
+/**
+ * Prompts the current user-input interface for a npm one-time password (OTP). This is required
+ * to publish packages in the @angular namespace.
+ */
+export async function promptForNpmOtp(): Promise<string> {
+  const {otp} = await prompt<{otp: string}>({
+    type: 'text',
+    name: 'otp',
+    message: 'Enter the one-time password (OTP) for the angular npm account:',
+  });
+
+  return otp;
+}
+
 /**
  * Determines all allowed npm dist-tag choices for a specified version. For example,
  * a pre-release version should be never published to the "latest" tag.

diff --git a/tools/release/publish-release.ts b/tools/release/publish-release.ts
@@ -13,7 +13,7 @@ import {
   npmLoginInteractive,
   npmPublish,
 } from './npm/npm-client';
-import {promptForNpmDistTag} from './prompt/npm-dist-tag-prompt';
+import {promptForNpmDistTag, promptForNpmOtp} from './prompt/npm-dist-tag-prompt';
 import {promptForUpstreamRemote} from './prompt/upstream-remote-prompt';
 import {releasePackages} from './release-output/release-packages';
 import {CHANGELOG_FILE_NAME} from './stage-release';
@@ -123,8 +123,12 @@ class PublishReleaseTask extends BaseReleaseTask {
     // the user to interactively confirm that the script should continue.
     await this._promptConfirmReleasePublish();
 
+    // Prompt for the OTP right before publishing so that it doesn't expire while building the
+    // packages.
+    const npmOtp = await promptForNpmOtp();
+
     for (let packageName of releasePackages) {
-      this._publishPackageToNpm(packageName, npmDistTag);
+      this._publishPackageToNpm(packageName, npmDistTag, npmOtp);
     }
 
     const newReleaseUrl = getGithubNewReleaseUrl({
@@ -237,10 +241,10 @@ class PublishReleaseTask extends BaseReleaseTask {
   }
 
   /** Publishes the specified package within the given NPM dist tag. */
-  private _publishPackageToNpm(packageName: string, npmDistTag: string) {
+  private _publishPackageToNpm(packageName: string, npmDistTag: string, npmOtp: string) {
     console.info(green(`  ⭮   Publishing "${packageName}"..`));
 
-    const errorOutput = npmPublish(join(this.releaseOutputPath, packageName), npmDistTag);
+    const errorOutput = npmPublish(join(this.releaseOutputPath, packageName), npmDistTag, npmOtp);
 
     if (errorOutput) {
       console.error(red(`  ✘   An error occurred while publishing "${packageName}".`));