ci(release): upgrade npm to latest for OIDC token exchange#9
Merged
Conversation
Node 20 ships npm 10.x. With the trusted-publisher OIDC migration in PR #8 landed, `npm publish` can sign provenance but cannot exchange the GitHub-issued OIDC token for an npm publish credential — registry returns a misleading 404 ("'@routerlab/core@0.0.2' is not in this registry") even though the package and the binding both exist. Adding `npm install -g npm@latest` after setup-node@v4 bumps to npm >= 11.5.1 which supports the OIDC publishing flow. Smallest possible fix; no other workflow changes. Reference: npm blog post on trusted publishing requires npm 11.5.1+. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why this is needed
Trusted Publisher OIDC migration in #8 landed, but publishes still 404. Root cause: npm CLI version on the runner.
Node 20 ships npm 10.x. With OIDC trusted-publisher, npm 10.x can sign provenance attestations (the workflow log shows successful signing to sigstore log index 1515879049) but cannot exchange the GitHub-issued OIDC token for a publish credential. The PUT to the registry returns a misleading 404 `'@routerlab/core@0.0.2' is not in this registry` — npm hides the auth state.
npm Trusted Publishing requires CLI version >= 11.5.1.
Fix
Add a single `npm install -g npm@latest` step after `actions/setup-node@v4`. Lightweight; runs in <5s on the cached runner.
Test plan
After merge, the next changeset-driven release will: