Commit a6e25b2
ci: drop destructive npm self-upgrade, use bundled npm for publish (#247)
"npm install -g npm@latest" self-upgrades over the bundled npm and
prunes packages it still needs (log shows "removed 71 packages"),
leaving the resulting npm unable to require 'sigstore' during
"npm publish --provenance" (npm/cli#2736, npm/cli#3175).
Node 22.22.3 already bundles npm 10.9.8, and provenance/OIDC id-token
attestation has been supported since npm 9.5. The workflow already
grants id-token: write and publishes with --provenance, so the bundled
npm is sufficient. Removing the self-upgrade step eliminates the whole
class of self-install corruption (promise-retry, sigstore) and the
npm@latest moving-target engine breakage.
Claude-Session: https://claude.ai/code/session_01X4h6iYSAmtDjNuDn3wXaGj
Co-authored-by: Claude <noreply@anthropic.com>1 parent 8e44333 commit a6e25b2
1 file changed
Lines changed: 0 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
214 | 214 | | |
215 | 215 | | |
216 | 216 | | |
217 | | - | |
218 | | - | |
219 | | - | |
220 | 217 | | |
221 | 218 | | |
222 | 219 | | |
| |||
253 | 250 | | |
254 | 251 | | |
255 | 252 | | |
256 | | - | |
257 | | - | |
258 | | - | |
259 | 253 | | |
260 | 254 | | |
261 | 255 | | |
| |||
0 commit comments