ci: drop destructive npm self-upgrade in publish workflow#247
Conversation
"npm install -g npm@latest" self-upgrades over the bundled npm and prunes packages it still needs (log shows "removed 71 packages"), leaving the resulting npm unable to require 'sigstore' during "npm publish --provenance" (npm/cli#2736, npm/cli#3175). Node 22.22.3 already bundles npm 10.9.8, and provenance/OIDC id-token attestation has been supported since npm 9.5. The workflow already grants id-token: write and publishes with --provenance, so the bundled npm is sufficient. Removing the self-upgrade step eliminates the whole class of self-install corruption (promise-retry, sigstore) and the npm@latest moving-target engine breakage. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01X4h6iYSAmtDjNuDn3wXaGj
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
💤 Files with no reviewable changes (1)
📝 WalkthroughWalkthroughThis change removes a workflow step that installed the latest npm globally for OIDC support in two jobs (publish-packages and publish-single) within the publish-npm.yml GitHub Actions workflow file. ChangesPublish Workflow Cleanup
Estimated code review effort: 1 (Trivial) | ~2 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b72d11a320
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: Dry run check | ||
| if: github.event.inputs.dry_run == 'true' |
There was a problem hiding this comment.
Use an npm CLI new enough for trusted publishing
In this workflow I found no NODE_AUTH_TOKEN/NPM_TOKEN, so the real publish paths rely on npm trusted publishing/OIDC; npm's trusted-publishing docs require npm CLI 11.5.1 or later, while the pinned Node 22.22.3 release notes show it bundles npm 10.9.8. Removing this upgrade from both publish jobs leaves npm publish running with a CLI that cannot perform the OIDC token exchange, so non-dry-run publishes will fail authentication even though id-token: write is present; the dry-run path does not exercise that path.
Useful? React with 👍 / 👎.
What
Removes the
Update npm for OIDC supportstep (npm install -g npm@latest) from both thepublish-packagesandpublish-singlejobs in.github/workflows/publish-npm.yml.Why
Follow-up to #246 (which bumped the pinned Node to 22.22.3). With the npm-upgrade step now able to run, the next publish failed at the actual publish step:
Root cause:
npm install -g npm@latestself-upgrades npm over its own bundled copy and prunes packages it still needs — the log showsremoved 71 packages, and changed 85 packages. The resulting npm can no longerrequire('sigstore')duringnpm publish --provenance. This is the known destructive-self-upgrade behavior (npm/cli#2736, npm/cli#3175), and the same corruption class that produced the earlierpromise-retryfailure.Fix
Drop the self-upgrade step entirely and use the npm bundled with Node 22.22.3 (npm 10.9.8). The step was never required for this workflow:
id-token: write(line 59) and publishes with--provenance.npm@xversion wouldn't help — it still self-upgrades over the bundled npm and can corrupt the tree the same way.Removing the step eliminates the entire self-install corruption class (
promise-retry,sigstore) and thenpm@latestmoving-target engine breakage.🤖 Generated with Claude Code
Generated by Claude Code