fix(publish): pin npm to 11.5.1 for OIDC trusted publishing#241
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Root cause
helixir@0.6.1 failed to publish with a misleading
E404 'not in this registry'. Root cause: the publish job ran with npm 10.9.7 (Node 22 bundled), which cannot do OIDC trusted publishing. pnpm publish shells out to npm for the registry PUT, so npm version matters. The TP entry and OIDC token were correct; npm 10.9.7 just can't authenticate and returns 404 (npm/cli#8976).Fix
Add
npm install -g npm@11.5.1 --forceafter setup-node. Matches the working pattern from discord-ops and create-helix (both shipped via TP).Publish flow
0.6.1 is already bumped on main (unpublished). Merging re-triggers the publish workflow → publishes 0.6.1 with the working npm. No new changeset needed.
Test plan
npm view helixir@0.6.1shows version + provenance attestation