From 53f1feecd24ef8b0173eb4f7793d9c78a73b67f5 Mon Sep 17 00:00:00 2001 From: roshan84ya Date: Wed, 29 Apr 2026 16:28:51 +0530 Subject: [PATCH 1/2] ci(publish-npm): restore npm@latest install for OIDC trusted publishing Trusted publishing requires npm >= 11.5.1, but Node 22's bundled npm is 10.x. Run 25097941330 failed with E404 on PUT because npm 10.9.7 cannot exchange the OIDC token for a registry credential and fell back to anonymous auth. Reinstating the global npm upgrade restores the working behavior from the original OIDC migration. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/publish-npm.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml index a3dcbda..ee5c892 100644 --- a/.github/workflows/publish-npm.yml +++ b/.github/workflows/publish-npm.yml @@ -36,10 +36,14 @@ jobs: registry-url: 'https://registry.npmjs.org' cache: npm - # OIDC "trusted publishing" needs npm >= 9.5.0. Node 22 ships npm 10.x - # which is sufficient. The explicit version check ensures visibility. + # OIDC trusted publishing requires npm >= 11.5.1 + # (https://docs.npmjs.com/trusted-publishers). Node 22 still ships npm + # 10.x, so we must upgrade explicitly — without this the publish step + # cannot exchange the OIDC token for a registry credential and fails + # with E404 on PUT. - name: Ensure npm supports OIDC trusted publishing run: | + npm install -g npm@latest npm --version - name: Install dependencies From 21bc01766894fe8d7285b776e5c89370886a853f Mon Sep 17 00:00:00 2001 From: roshan84ya Date: Wed, 29 Apr 2026 16:40:33 +0530 Subject: [PATCH 2/2] ci(publish-npm): bump to Node 24 instead of upgrading npm in place MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previous attempt re-added `npm install -g npm@latest`, but that's exactly what failed in run 24882819896 with MODULE_NOT_FOUND on promise-retry — a known corruption of npm 10.9.7 in the Node 22.22.2 runner toolcache (actions/runner-images#13883). Node 24.x natively ships npm 11.12.1+, clearing the OIDC trusted-publishing floor (>= 11.5.1) without the fragile global upgrade. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/publish-npm.yml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml index ee5c892..ff88200 100644 --- a/.github/workflows/publish-npm.yml +++ b/.github/workflows/publish-npm.yml @@ -29,22 +29,20 @@ jobs: steps: - uses: actions/checkout@v6 + # Node 24 ships npm 11.12.1+, which clears the >= 11.5.1 floor that npm + # OIDC trusted publishing requires (https://docs.npmjs.com/trusted-publishers). + # Staying on Node 22 is not an option: its bundled npm is 10.x, and + # `npm install -g npm@latest` on the 22.22.2 runner image fails with + # MODULE_NOT_FOUND on `promise-retry` (actions/runner-images#13883). - name: Setup Node.js uses: actions/setup-node@v6 with: - node-version: 22 + node-version: 24 registry-url: 'https://registry.npmjs.org' cache: npm - # OIDC trusted publishing requires npm >= 11.5.1 - # (https://docs.npmjs.com/trusted-publishers). Node 22 still ships npm - # 10.x, so we must upgrade explicitly — without this the publish step - # cannot exchange the OIDC token for a registry credential and fails - # with E404 on PUT. - name: Ensure npm supports OIDC trusted publishing - run: | - npm install -g npm@latest - npm --version + run: npm --version - name: Install dependencies run: npm ci