Build/Packaging Bug: Private design-system packages block open-source builds

[joshyorko]

What is wrong

🐞 Build/Packaging Bug: Private design-system packages block open-source builds

What happens?
Running npm ci && npm run build in action_server/frontend fails with 401 Unauthorized – GET https://npm.pkg.github.com/@robocorp/theme.
The repo depends on:

• @robocorp/theme
• @robocorp/icons
• @sema4ai/ds-internal

All three are private GitHub-Package artifacts, so the build cannot complete outside the Sema4AI org.

Expected behaviour
An open-source clone should build without internal credentials.

Steps to reproduce

1. Fresh clone of this repo
2. cd action_server/frontend
3. npm ci –> 401 error

Suggested fix (either works)

1. Vendor the compiled assets (commit the built dist/* so the frontend never hits the private scope), or
2. Publish the three packages to a public registry (npmjs.com or GitHub Packages with public visibility).

Environment

• Node LTS 20.x
• npm 10.x
• Ubuntu 22.04

This blocks downstream contributors from testing PRs or packaging the server in self-hosted environments.

— Thanks for considering!

System info

Node LTS 20.x

• npm 10.x
• Ubuntu 22.04

Example script

No response

[joshyorko]

@fabioz Would you be able to let me know if these changes could be coming in the future. This limits collaboration and open source contributions.

[fabioz]

I agree, it should be possible to build the Action Server out of Sema4.ai.

I'm checking internally on how to proceed in that front....

[joshyorko]

@fabioz thank you so much I have some features I want to put in a PR for. A roadmap of some type would be helpful too. Maybe I missed?

[fabioz]

Just to give some feedback, this is being worked internally (the main issue being that we have some paid components that cannot be distributed as is directly, so, some unbundling/reorganizing is needed before we can distribute it).

Regarding the roadmap, we don't really have it public (it depends a lot on what our clients require).

Right now what we're working on is being able to support the MCP protocol using the Action Server (we already support @action and @query as tools in MCP, but we're creating a sema4ai.mcp library to make it feel "native" based on the MCP protocol terms).

[joshyorko]

Would be great to have an ETA on the decoupling efforts. You can't really quote this product as being open source if no one but your team can contribute to it. I mean it's all over the Internet as being open source.

[joshyorko]

@fabioz any updates on this front

[fabioz]

Unfortunately not currently (the team which would need to fix this is swamped with other things, so, I can't really provide an ETA right now).

[joshyorko]

Thanks for the follow-up, @fabioz .

I understand the team’s plate is full, but from the outside the project is effectively read-only until those private design-system packages are decoupled. Could you share:

1. A checklist (or even a rough sketch) of what needs to be unbundled so community members can pitch in, and

2. Any interim workaround that would let external contributors at least run npm ci without corporate credentials?

[joshyorko]

@fabioz (and team) – quick follow-up on #220.
Blocking issue: external contributors still can’t run npm ci because the build pulls
@robocorp/theme, @robocorp/icons, and @sema4ai/ds-internal from a private scope.

Could you share one of the following so we can help?

Option	What we’d need	Why it helps
A. Pre-built assets	Publish the compiled /dist of each package (or include them in this repo)	Lets anyone build + test without credentials
B. Public stubs	Empty NPM packages with the same names + peer-deps	Unblocks CI while real decoupling happens
C. Un-bundling checklist	Even a rough TODO of what needs extraction	Allows community to open granular PRs

Happy to tackle any item once we can compile locally.
Thanks for keeping us in the loop! 🙏

Regards,

Josh

[jyorko]

Any updates? Would love to contribute soon, but as noted above in detail, that is impossible, on this Open Source Project?

[joshyorko]

@fabioz any updates on this bug?