Skip to content

fix npm trusted publishing auth#248

Merged
willwashburn merged 1 commit into
mainfrom
agent/fix-npm-trusted-publishing
Jul 9, 2026
Merged

fix npm trusted publishing auth#248
willwashburn merged 1 commit into
mainfrom
agent/fix-npm-trusted-publishing

Conversation

@willwashburn

@willwashburn willwashburn commented Jul 9, 2026

Copy link
Copy Markdown
Member

Summary

  • install npm 11 in both NPM publish jobs before npm publish
  • keep the existing Node version and trusted publishing workflow shape

Root Cause

The publish jobs run npm publish --provenance, but actions/setup-node provided npm 10.9.8 in the failed run. npm trusted publishing requires npm 11.5.1 or newer, so the publish request fell back to token-style auth and npm rejected the package PUT with E404.

Validation

  • git diff --check
  • actionlint -ignore 'shellcheck reported issue' -ignore 'softprops/action-gh-release@v1' .github/workflows/publish-npm.yml

Full actionlint still reports pre-existing unrelated findings in this workflow: shellcheck quoting warnings and softprops/action-gh-release@v1.

Review in cubic

@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 5b9eed63-3ad5-4851-a393-987a28f6506c

📥 Commits

Reviewing files that changed from the base of the PR and between a6e25b2 and 948487b.

📒 Files selected for processing (1)
  • .github/workflows/publish-npm.yml

📝 Walkthrough

Walkthrough

Adds a new workflow step in .github/workflows/publish-npm.yml to globally install npm@11 before publishing, applied to both the publish-packages and publish-single jobs prior to artifact download and publish steps.

Changes

Trusted Publishing Setup

Layer / File(s) Summary
npm@11 install step
.github/workflows/publish-npm.yml
Adds a "Setup npm for trusted publishing" step to globally install npm@11 before the download/publish steps in both publish-packages and publish-single jobs.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related PRs

Poem

A hop, a skip, a workflow tweak,
npm@11 installed sleek,
Before we ship our carrots bright,
Trusted publishing feels just right.
🐇📦✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change: fixing npm trusted publishing auth in the publish workflow.
Description check ✅ Passed The description is directly related and accurately explains the npm 11 publishing fix and its root cause.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch agent/fix-npm-trusted-publishing

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@willwashburn willwashburn marked this pull request as ready for review July 9, 2026 04:44

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/publish-npm.yml">

<violation number="1" location=".github/workflows/publish-npm.yml:211">
P2: The `npm@11` semver range does not guarantee the minimum version required for trusted publishing (npm >= 11.5.1). While the range resolves to 11.18.0 today, it technically matches any 11.x (including 11.0.0–11.5.0, which lack OIDC trusted publishing support). If the npm registry cache on the runner is stale or if the dist-tag for `@11` ever points to an older version for any reason, the publish step could silently fall back to a version that fails with E404 again. Consider using `npm@latest` to get the most recent stable npm (which is 11.x as of today and will stay at the latest), or pin to a more precise range like `npm@^11.5.1` to encode the actual requirement directly.</violation>
</file>

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

node-version: "22.22.3"
registry-url: "https://registry.npmjs.org"

- name: Setup npm for trusted publishing

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: The npm@11 semver range does not guarantee the minimum version required for trusted publishing (npm >= 11.5.1). While the range resolves to 11.18.0 today, it technically matches any 11.x (including 11.0.0–11.5.0, which lack OIDC trusted publishing support). If the npm registry cache on the runner is stale or if the dist-tag for @11 ever points to an older version for any reason, the publish step could silently fall back to a version that fails with E404 again. Consider using npm@latest to get the most recent stable npm (which is 11.x as of today and will stay at the latest), or pin to a more precise range like npm@^11.5.1 to encode the actual requirement directly.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/publish-npm.yml, line 211:

<comment>The `npm@11` semver range does not guarantee the minimum version required for trusted publishing (npm >= 11.5.1). While the range resolves to 11.18.0 today, it technically matches any 11.x (including 11.0.0–11.5.0, which lack OIDC trusted publishing support). If the npm registry cache on the runner is stale or if the dist-tag for `@11` ever points to an older version for any reason, the publish step could silently fall back to a version that fails with E404 again. Consider using `npm@latest` to get the most recent stable npm (which is 11.x as of today and will stay at the latest), or pin to a more precise range like `npm@^11.5.1` to encode the actual requirement directly.</comment>

<file context>
@@ -208,6 +208,9 @@ jobs:
           node-version: "22.22.3"
           registry-url: "https://registry.npmjs.org"
 
+      - name: Setup npm for trusted publishing
+        run: npm install -g npm@11
+
</file context>

@willwashburn willwashburn merged commit 998a8a2 into main Jul 9, 2026
6 of 7 checks passed
@willwashburn willwashburn deleted the agent/fix-npm-trusted-publishing branch July 9, 2026 04:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant