Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/workflows/publish-npm.yml
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,9 @@ jobs:
node-version: "22.22.3"
registry-url: "https://registry.npmjs.org"

- name: Setup npm for trusted publishing

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: The npm@11 semver range does not guarantee the minimum version required for trusted publishing (npm >= 11.5.1). While the range resolves to 11.18.0 today, it technically matches any 11.x (including 11.0.0–11.5.0, which lack OIDC trusted publishing support). If the npm registry cache on the runner is stale or if the dist-tag for @11 ever points to an older version for any reason, the publish step could silently fall back to a version that fails with E404 again. Consider using npm@latest to get the most recent stable npm (which is 11.x as of today and will stay at the latest), or pin to a more precise range like npm@^11.5.1 to encode the actual requirement directly.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/publish-npm.yml, line 211:

<comment>The `npm@11` semver range does not guarantee the minimum version required for trusted publishing (npm >= 11.5.1). While the range resolves to 11.18.0 today, it technically matches any 11.x (including 11.0.0–11.5.0, which lack OIDC trusted publishing support). If the npm registry cache on the runner is stale or if the dist-tag for `@11` ever points to an older version for any reason, the publish step could silently fall back to a version that fails with E404 again. Consider using `npm@latest` to get the most recent stable npm (which is 11.x as of today and will stay at the latest), or pin to a more precise range like `npm@^11.5.1` to encode the actual requirement directly.</comment>

<file context>
@@ -208,6 +208,9 @@ jobs:
           node-version: "22.22.3"
           registry-url: "https://registry.npmjs.org"
 
+      - name: Setup npm for trusted publishing
+        run: npm install -g npm@11
+
</file context>

run: npm install -g npm@11

- name: Download build artifacts
uses: actions/download-artifact@v4
with:
Expand Down Expand Up @@ -244,6 +247,9 @@ jobs:
node-version: "22.22.3"
registry-url: "https://registry.npmjs.org"

- name: Setup npm for trusted publishing
run: npm install -g npm@11

- name: Download build artifacts
uses: actions/download-artifact@v4
with:
Expand Down
Loading