Skip to content

ci: drop destructive npm self-upgrade in publish workflow#247

Merged
willwashburn merged 1 commit into
mainfrom
claude/relaycast-workflow-failure-gmn5u2
Jul 9, 2026
Merged

ci: drop destructive npm self-upgrade in publish workflow#247
willwashburn merged 1 commit into
mainfrom
claude/relaycast-workflow-failure-gmn5u2

Conversation

@willwashburn

@willwashburn willwashburn commented Jul 9, 2026

Copy link
Copy Markdown
Member

What

Removes the Update npm for OIDC support step (npm install -g npm@latest) from both the publish-packages and publish-single jobs in .github/workflows/publish-npm.yml.

Why

Follow-up to #246 (which bumped the pinned Node to 22.22.3). With the npm-upgrade step now able to run, the next publish failed at the actual publish step:

npm error code MODULE_NOT_FOUND
npm error Cannot find module 'sigstore'
npm error - .../npm/node_modules/libnpmpublish/lib/provenance.js

Root cause: npm install -g npm@latest self-upgrades npm over its own bundled copy and prunes packages it still needs — the log shows removed 71 packages, and changed 85 packages. The resulting npm can no longer require('sigstore') during npm publish --provenance. This is the known destructive-self-upgrade behavior (npm/cli#2736, npm/cli#3175), and the same corruption class that produced the earlier promise-retry failure.

Fix

Drop the self-upgrade step entirely and use the npm bundled with Node 22.22.3 (npm 10.9.8). The step was never required for this workflow:

  • The workflow already grants id-token: write (line 59) and publishes with --provenance.
  • Provenance / OIDC id-token attestation has been supported since npm 9.5, so 10.9.8 is sufficient.
  • Pinning a specific npm@x version wouldn't help — it still self-upgrades over the bundled npm and can corrupt the tree the same way.

Removing the step eliminates the entire self-install corruption class (promise-retry, sigstore) and the npm@latest moving-target engine breakage.

Note: this workflow is workflow_dispatch-only and its dry_run path uses npm publish --dry-run without --provenance, so a dry run won't exercise the provenance code path — only a real publish fully validates it. The fix is sound by construction (the bundled npm's libnpmpublish ships an intact sigstore), but a real publish is the definitive confirmation.

🤖 Generated with Claude Code


Generated by Claude Code

Review in cubic

"npm install -g npm@latest" self-upgrades over the bundled npm and
prunes packages it still needs (log shows "removed 71 packages"),
leaving the resulting npm unable to require 'sigstore' during
"npm publish --provenance" (npm/cli#2736, npm/cli#3175).

Node 22.22.3 already bundles npm 10.9.8, and provenance/OIDC id-token
attestation has been supported since npm 9.5. The workflow already
grants id-token: write and publishes with --provenance, so the bundled
npm is sufficient. Removing the self-upgrade step eliminates the whole
class of self-install corruption (promise-retry, sigstore) and the
npm@latest moving-target engine breakage.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01X4h6iYSAmtDjNuDn3wXaGj
@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 2dcdf6fd-4af3-4f7a-b27d-31d5d78fadcc

📥 Commits

Reviewing files that changed from the base of the PR and between 8e44333 and b72d11a.

📒 Files selected for processing (1)
  • .github/workflows/publish-npm.yml
💤 Files with no reviewable changes (1)
  • .github/workflows/publish-npm.yml

📝 Walkthrough

Walkthrough

This change removes a workflow step that installed the latest npm globally for OIDC support in two jobs (publish-packages and publish-single) within the publish-npm.yml GitHub Actions workflow file.

Changes

Publish Workflow Cleanup

Layer / File(s) Summary
Remove npm update step from publish jobs
.github/workflows/publish-npm.yml
Removed the "Update npm for OIDC support" step (npm install -g npm@latest) from both the publish-packages and publish-single jobs.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Poem

A hop, a skip, a trimmed-down line,
No more npm updates, just fine!
The workflow runs a bit more spry,
Six lines gone, no need to sigh 🐇
Publish on, beneath the sky!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly describes removing the npm self-upgrade from the publish workflow.
Description check ✅ Passed The description directly explains the workflow change and why the step was removed.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/relaycast-workflow-failure-gmn5u2

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b72d11a320

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines 217 to 218
- name: Dry run check
if: github.event.inputs.dry_run == 'true'

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Use an npm CLI new enough for trusted publishing

In this workflow I found no NODE_AUTH_TOKEN/NPM_TOKEN, so the real publish paths rely on npm trusted publishing/OIDC; npm's trusted-publishing docs require npm CLI 11.5.1 or later, while the pinned Node 22.22.3 release notes show it bundles npm 10.9.8. Removing this upgrade from both publish jobs leaves npm publish running with a CLI that cannot perform the OIDC token exchange, so non-dry-run publishes will fail authentication even though id-token: write is present; the dry-run path does not exercise that path.

Useful? React with 👍 / 👎.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Re-trigger cubic

@willwashburn willwashburn merged commit a6e25b2 into main Jul 9, 2026
5 checks passed
@willwashburn willwashburn deleted the claude/relaycast-workflow-failure-gmn5u2 branch July 9, 2026 03:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants