fix(ci): restore npm upgrade step for OIDC trusted publishing#122
Merged
Conversation
The publish-npm workflow relies on npm OIDC trusted publishing (`npm publish --provenance` with id-token: write and no NPM_TOKEN). That requires npm >= 11.5.1, but Node 20 ships npm 10.x. The required `npm install -g npm@latest` step was added in 2d7ae74 specifically for OIDC support and then accidentally dropped in 9c94873 ("simplify release workflow"). Without it, provenance signing succeeds but the registry PUT fails with `E404 ... is not in this registry` -- exactly the v0.2.6 publish failure. Restore the step so the OIDC publish is authenticated.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The v0.2.6 publish to npm failed with
E404 ... '@pppp606/ink-chart@0.2.6' is not in this registry, even though the npm Trusted Publisher is correctly configured (pppp606/ink-chart → publish-npm.yml).Root cause
publish-npm.ymluses npm OIDC trusted publishing (npm publish --provenance,id-token: write, noNPM_TOKEN). That requires npm ≥ 11.5.1, butactions/setup-nodewithnode-version: '20'ships npm 10.x.The required
npm install -g npm@lateststep was added in2d7ae74("upgrade npm to latest for OIDC trusted publishing support") and then accidentally removed in9c94873("simplify release workflow").With npm 10.x the provenance statement is still signed (OIDC token exchange works), but the actual registry PUT is unauthenticated →
E404. This exactly matches the observed failure.Fix
Restore the npm upgrade step between
setup-nodeandnpm ci:After merge
The
v0.2.6tag (and GitHub release) already exist but point to a commit without this fix. Once merged, the tag will be re-pointed to the fixed commit and re-pushed to re-trigger publishing — no version bump needed (0.2.6 was never published).