Skip to content

Commit e6aa2cf

Browse files
ynamiteclaude
andcommitted
ci(release): upgrade npm to >=11.5.1 for OIDC Trusted Publishing
The tag-triggered publish of v3.0.0-alpha.2 failed with E404: Node 20 ships npm 10.8.2, which can sign provenance via OIDC but cannot AUTHENTICATE the publish through a Trusted Publisher (that landed in npm 11.5.1). The npm package's trusted-publisher config was correct; the CI npm was just too old. Add an `npm install -g npm@latest` step after setup-node so `npm publish` can use the OIDC token for registry auth. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 91b0676 commit e6aa2cf

1 file changed

Lines changed: 6 additions & 0 deletions

File tree

.github/workflows/release.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,12 @@ jobs:
3232
cache: pnpm
3333
registry-url: https://registry.npmjs.org
3434

35+
# OIDC Trusted Publishing (token-less publish + provenance auth) requires
36+
# npm >= 11.5.1; Node 20 ships npm 10.8.x, which signs provenance but can't
37+
# authenticate the publish (registry returns E404). Upgrade before publish.
38+
- name: Upgrade npm for Trusted Publishing
39+
run: npm install -g npm@latest
40+
3541
- name: Install dependencies
3642
run: pnpm install --frozen-lockfile
3743

0 commit comments

Comments
 (0)