From fbf0a532caec556f72380a890c5e2db09ab17cde Mon Sep 17 00:00:00 2001
From: ring-wdr <akswnd55@gmail.com>
Date: Thu, 26 Mar 2026 00:13:33 +0900
Subject: [PATCH] Use a trusted-publishing compatible npm runtime

The publish workflow was running Node 22.22.1 with npm 10.9.4, which is below npm's current trusted publishing requirement. Upgrade the publish job to Node 24, install the latest npm explicitly, and bump the prerelease version to 0.1.35-rc.1 for a fresh release-path validation.

Constraint: Existing release tag v0.1.35-rc.0 cannot be reused after a failed publish attempt
Rejected: Keep Node 22 only | GitHub runner image currently bundles npm 10.9.4 in that lane
Rejected: Retry the same release again | reruns keep the old workflow definition and package version
Confidence: high
Scope-risk: narrow
Reversibility: clean
Directive: Keep runtime version output in the publish job until OIDC publishing is stable across releases
Tested: npm run build; npm test; npm pack --dry-run
Not-tested: End-to-end GitHub Release triggered npm publish via OIDC until merged and released from main
---
 .github/workflows/publish.yml | 10 +++++++++-
 package-lock.json             |  4 ++--
 package.json                  |  2 +-
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index ea5615a..f98edcb 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -20,10 +20,18 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v5
         with:
-          node-version: 22
+          node-version: 24
           registry-url: https://registry.npmjs.org
           cache: npm
 
+      - name: Upgrade npm for trusted publishing
+        run: npm install --global npm@latest
+
+      - name: Show runtime versions
+        run: |
+          node --version
+          npm --version
+
       - name: Install dependencies
         run: npm ci
 
diff --git a/package-lock.json b/package-lock.json
index ca86f86..64f92fe 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "react-devtool-cli",
-  "version": "0.1.35-rc.0",
+  "version": "0.1.35-rc.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "react-devtool-cli",
-      "version": "0.1.35-rc.0",
+      "version": "0.1.35-rc.1",
       "license": "MIT",
       "dependencies": {
         "playwright": "1.58.2"
diff --git a/package.json b/package.json
index 5f1d228..8313f4d 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "react-devtool-cli",
-  "version": "0.1.35-rc.0",
+  "version": "0.1.35-rc.1",
   "description": "Agent-first CLI for React component tree inspection, snapshot-aware node debugging, and profiler analysis through a Playwright-managed browser session.",
   "license": "MIT",
   "type": "module",