fix(release): upgrade npm so OIDC trusted publishing works#138
Merged
Conversation
node 20 ships npm 10, which signs provenance but can't authenticate a publish via OIDC trusted publishing (needs npm >= 11.5.1). The unauthenticated PUT was masked as a 404. Add 'npm install -g npm@latest' to the npm job.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
Publish to npmjob in the v0.0.6 release failed:Provenance signing succeeded, but the publish itself went out unauthenticated.
@harmont/hmuses OIDC trusted publishing, but node 20 ships npm 10, which can sign provenance yet cannot authenticate a publish via OIDC — that requires npm ≥ 11.5.1. With no credentials, npm masks the auth failure on a scoped package as a 404.Fix
Add
npm install -g npm@latestaftersetup-nodeso the configured trusted publisher actually authenticates. No token/secret needed.Fixes npm publishing for v0.0.7+. (v0.0.6's npm artifact needs a one-off manual publish since re-runs use the workflow as it was at the tag.)