From 4fccca47d21393013f5d268d0eb7e84145c57d07 Mon Sep 17 00:00:00 2001 From: AgentSeal Date: Sat, 18 Apr 2026 09:46:13 -0700 Subject: [PATCH] fix(ci): use Node 24 for npm OIDC trusted publishing Node 22 on GitHub's hosted runners currently pins to a broken npm 10.9.7 whose internal `promise-retry` module is missing from the toolcache (runner-images#13883, nodejs/node#62430). Self-upgrading via `npm install -g npm@latest` crashes before the install can run, because `@npmcli/arborist` cannot start without that module. Node 24 LTS bundles npm 11.x natively, which supports OIDC trusted publishing out of the box (minimum is 11.5.1, per npm docs). Bumping the runtime lets us delete the fragile upgrade step entirely. Test: tag `v0.7.4-rc.2` after merge to validate the flow publishes successfully with provenance. --- .github/workflows/publish-npm.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml index 30db2dda..acd32081 100644 --- a/.github/workflows/publish-npm.yml +++ b/.github/workflows/publish-npm.yml @@ -25,16 +25,15 @@ jobs: - name: Setup Node.js uses: actions/setup-node@v4 with: - node-version: '22' + # Node 24 (LTS) ships with npm 11.x, which supports OIDC trusted + # publishing natively. Node 22 on GitHub hosted runners currently + # pins to a broken npm 10.9.7 (runner-images#13883) and any + # self-upgrade from within that toolcache crashes on a missing + # promise-retry module, so bumping the runtime is the cleanest + # fix. + node-version: '24' registry-url: 'https://registry.npmjs.org' - - name: Upgrade npm for trusted publishing - # Node 22 ships with npm 10.x; npm OIDC trusted publishing requires - # npm 11.5.1+. Without this, the publish step silently falls back - # to the empty NODE_AUTH_TOKEN written by setup-node and the - # registry returns 404. - run: npm install -g npm@latest - - name: Verify tag matches package.json run: | TAG_VERSION="${GITHUB_REF#refs/tags/v}"