ci(publish-npm): bump to Node 24 to clear npm 11.5.1 floor for OIDC#59
Open
ci(publish-npm): bump to Node 24 to clear npm 11.5.1 floor for OIDC#59
Conversation
Trusted publishing requires npm >= 11.5.1, but Node 22's bundled npm is 10.x. Run 25097941330 failed with E404 on PUT because npm 10.9.7 cannot exchange the OIDC token for a registry credential and fell back to anonymous auth. Reinstating the global npm upgrade restores the working behavior from the original OIDC migration. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previous attempt re-added `npm install -g npm@latest`, but that's exactly what failed in run 24882819896 with MODULE_NOT_FOUND on promise-retry — a known corruption of npm 10.9.7 in the Node 22.22.2 runner toolcache (actions/runner-images#13883). Node 24.x natively ships npm 11.12.1+, clearing the OIDC trusted-publishing floor (>= 11.5.1) without the fragile global upgrade. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jagguji
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
node-version: 22→24in.github/workflows/publish-npm.ymlso the runner gets npm 11.12.1+ natively. npm OIDC trusted publishing requires npm CLI >= 11.5.1.npm install -g npm@latestworkaround is not safe on the current runner image — see context below.Why not just upgrade npm in place
Run 24882819896 (the very first OIDC attempt, before f269712) failed at exactly the
npm install -g npm@lateststep:That's a known corruption in Node 22.22.2's bundled npm 10.9.7 inside the GitHub-hosted toolcache. Any global npm upgrade hits it. Shubham's f269712 ("removed the global npm installation step") was a real workaround for that crash, not just cleanup — but it left the runner on npm 10.9.7, which fails OIDC publish with
E404 on PUT(the registry's stand-in for "this token can't authorize this PUT") because npm 10.x doesn't speak the trusted-publishing token-exchange protocol.Bumping Node to 24 clears both problems at once:
-gupgrade against a corrupted toolcacheWhat this PR does NOT fix
The trusted-publisher config on npmjs.com was originally registered for
@subham_/rescript-blend. Commit5787894renamed the package to@juspay/rescript-blendbut did not update the npmjs.com side. Even with the npm version fix in this PR, the publish will keep returning404 on PUTuntil an admin on the@juspaynpm org goes to npmjs.com → package settings and registers a trusted publisher for@juspay/rescript-blendpointing at:juspay/blend-rescriptpublish-npm.ymlnpm(And likely creates the package under the
@juspayscope first, since this would be its inaugural publish under that name.)Test plan
Publish to NPMwithdry_run=trueon this branch and confirmnpm --versionis11.12.x(>= 11.5.1).@juspaynpm org admin that the trusted-publisher entry exists for@juspay/rescript-blend.dry_run=false) and verify the package appears at@juspay/rescript-blend@0.0.37-beta.2with--tag beta.🤖 Generated with Claude Code