fix npm trusted publishing auth#248
Conversation
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdds a new workflow step in ChangesTrusted Publishing Setup
Estimated code review effort: 1 (Trivial) | ~3 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/publish-npm.yml">
<violation number="1" location=".github/workflows/publish-npm.yml:211">
P2: The `npm@11` semver range does not guarantee the minimum version required for trusted publishing (npm >= 11.5.1). While the range resolves to 11.18.0 today, it technically matches any 11.x (including 11.0.0–11.5.0, which lack OIDC trusted publishing support). If the npm registry cache on the runner is stale or if the dist-tag for `@11` ever points to an older version for any reason, the publish step could silently fall back to a version that fails with E404 again. Consider using `npm@latest` to get the most recent stable npm (which is 11.x as of today and will stay at the latest), or pin to a more precise range like `npm@^11.5.1` to encode the actual requirement directly.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| node-version: "22.22.3" | ||
| registry-url: "https://registry.npmjs.org" | ||
|
|
||
| - name: Setup npm for trusted publishing |
There was a problem hiding this comment.
P2: The npm@11 semver range does not guarantee the minimum version required for trusted publishing (npm >= 11.5.1). While the range resolves to 11.18.0 today, it technically matches any 11.x (including 11.0.0–11.5.0, which lack OIDC trusted publishing support). If the npm registry cache on the runner is stale or if the dist-tag for @11 ever points to an older version for any reason, the publish step could silently fall back to a version that fails with E404 again. Consider using npm@latest to get the most recent stable npm (which is 11.x as of today and will stay at the latest), or pin to a more precise range like npm@^11.5.1 to encode the actual requirement directly.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/publish-npm.yml, line 211:
<comment>The `npm@11` semver range does not guarantee the minimum version required for trusted publishing (npm >= 11.5.1). While the range resolves to 11.18.0 today, it technically matches any 11.x (including 11.0.0–11.5.0, which lack OIDC trusted publishing support). If the npm registry cache on the runner is stale or if the dist-tag for `@11` ever points to an older version for any reason, the publish step could silently fall back to a version that fails with E404 again. Consider using `npm@latest` to get the most recent stable npm (which is 11.x as of today and will stay at the latest), or pin to a more precise range like `npm@^11.5.1` to encode the actual requirement directly.</comment>
<file context>
@@ -208,6 +208,9 @@ jobs:
node-version: "22.22.3"
registry-url: "https://registry.npmjs.org"
+ - name: Setup npm for trusted publishing
+ run: npm install -g npm@11
+
</file context>
Summary
npm publishRoot Cause
The publish jobs run
npm publish --provenance, butactions/setup-nodeprovided npm 10.9.8 in the failed run. npm trusted publishing requires npm 11.5.1 or newer, so the publish request fell back to token-style auth and npm rejected the package PUT with E404.Validation
git diff --checkactionlint -ignore 'shellcheck reported issue' -ignore 'softprops/action-gh-release@v1' .github/workflows/publish-npm.ymlFull
actionlintstill reports pre-existing unrelated findings in this workflow: shellcheck quoting warnings andsoftprops/action-gh-release@v1.