Skip to content

Commit a6e25b2

Browse files
willwashburnclaude
andauthored
ci: drop destructive npm self-upgrade, use bundled npm for publish (#247)
"npm install -g npm@latest" self-upgrades over the bundled npm and prunes packages it still needs (log shows "removed 71 packages"), leaving the resulting npm unable to require 'sigstore' during "npm publish --provenance" (npm/cli#2736, npm/cli#3175). Node 22.22.3 already bundles npm 10.9.8, and provenance/OIDC id-token attestation has been supported since npm 9.5. The workflow already grants id-token: write and publishes with --provenance, so the bundled npm is sufficient. Removing the self-upgrade step eliminates the whole class of self-install corruption (promise-retry, sigstore) and the npm@latest moving-target engine breakage. Claude-Session: https://claude.ai/code/session_01X4h6iYSAmtDjNuDn3wXaGj Co-authored-by: Claude <noreply@anthropic.com>
1 parent 8e44333 commit a6e25b2

1 file changed

Lines changed: 0 additions & 6 deletions

File tree

.github/workflows/publish-npm.yml

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -214,9 +214,6 @@ jobs:
214214
name: build-output
215215
path: .
216216

217-
- name: Update npm for OIDC support
218-
run: npm install -g npm@latest
219-
220217
- name: Dry run check
221218
if: github.event.inputs.dry_run == 'true'
222219
working-directory: packages/${{ matrix.package }}
@@ -253,9 +250,6 @@ jobs:
253250
name: build-output
254251
path: .
255252

256-
- name: Update npm for OIDC support
257-
run: npm install -g npm@latest
258-
259253
- name: Dry run check
260254
if: github.event.inputs.dry_run == 'true'
261255
working-directory: packages/${{ github.event.inputs.package }}

0 commit comments

Comments
 (0)