ci: pin npm to 11.5.1 so OIDC trusted publishing is supported

Rednegniw · Rednegniw · commit ee259d7f0d42 · 2026-04-22T13:52:32.000+02:00
corepack's `npm@latest` shorthand resolves via corepack's built-in
knownLastVersions table, which on Node 22.22.2 still points at
npm 10.9.7. npm 10 has no OIDC trusted-publishing support, so
`changeset publish` could not exchange the GitHub OIDC token for a
registry token and failed with ENEEDAUTH even though the trusted
publisher was configured on npmjs.com. Pinning to 11.5.1 (the first
npm release with trusted publishing) makes the exchange work.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Install modern npm for OIDC trusted publishing
         run: |
           corepack enable
-          corepack prepare npm@latest --activate
+          corepack prepare npm@11.5.1 --activate
           npm --version
 
       - run: bun install --frozen-lockfile
