From a1094706d6add88870569416511657b787f0cf89 Mon Sep 17 00:00:00 2001 From: Brian Love Date: Fri, 1 May 2026 10:10:29 -0700 Subject: [PATCH] chore(workflow): bump publish workflow to Node 24 for trusted publishing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 0.0.2 publish workflow run failed with 'error retrieving identity token' on @ngaf/licensing and @ngaf/partial-json, and a 404 on @ngaf/a2ui. Root cause: actions/setup-node@v6.3.0 with node-version: 22 ships npm 10.9.x, which has partial OIDC code paths but doesn't fully implement the trusted-publishing flow against npm registry's OIDC endpoint. Node 22 LTS will never ship npm 11+ (locked); Node 24 ships npm 11.6+ out of the box (verified via nodejs.org/dist/index.json). Bump only the publish workflow's Node version. The rest of CI (lint/test/build/e2e) stays on Node 22 — the publish workflow doesn't share artifacts with those, so the version drift is harmless. Sources: - https://philna.sh/blog/2026/01/28/trusted-publishing-npm/ - https://github.com/npm/cli/issues/8730 - https://docs.npmjs.com/trusted-publishers/ Co-Authored-By: Claude Opus 4.7 --- .github/workflows/publish.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index eef1883eb..bd89cfa66 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -21,9 +21,14 @@ jobs: NPM_PUBLISHABLE_PROJECTS: chat,langgraph,ag-ui,render,a2ui,partial-json,licensing steps: - uses: actions/checkout@v6.0.2 + # Node 24 ships npm 11+ which fully implements npm trusted publishing + # over OIDC. Node 22 is LTS but locked at npm 10.x, which has only + # partial trusted-publishing support and fails OIDC on this registry. + # The rest of CI (lint/test/build) runs on Node 22; this workflow + # uses Node 24 specifically for the publish step. - uses: actions/setup-node@v6.3.0 with: - node-version: 22 + node-version: 24 cache: npm registry-url: https://registry.npmjs.org