Skip to content

fix(ci): restore npm upgrade step for OIDC trusted publishing#122

Merged
pppp606 merged 1 commit into
mainfrom
fix/publish-npm-oidc-upgrade
Jun 8, 2026
Merged

fix(ci): restore npm upgrade step for OIDC trusted publishing#122
pppp606 merged 1 commit into
mainfrom
fix/publish-npm-oidc-upgrade

Conversation

@pppp606

@pppp606 pppp606 commented Jun 8, 2026

Copy link
Copy Markdown
Owner

Problem

The v0.2.6 publish to npm failed with E404 ... '@pppp606/ink-chart@0.2.6' is not in this registry, even though the npm Trusted Publisher is correctly configured (pppp606/ink-chart → publish-npm.yml).

Root cause

publish-npm.yml uses npm OIDC trusted publishing (npm publish --provenance, id-token: write, no NPM_TOKEN). That requires npm ≥ 11.5.1, but actions/setup-node with node-version: '20' ships npm 10.x.

The required npm install -g npm@latest step was added in 2d7ae74 ("upgrade npm to latest for OIDC trusted publishing support") and then accidentally removed in 9c94873 ("simplify release workflow").

With npm 10.x the provenance statement is still signed (OIDC token exchange works), but the actual registry PUT is unauthenticated → E404. This exactly matches the observed failure.

Fix

Restore the npm upgrade step between setup-node and npm ci:

- name: Upgrade npm for OIDC trusted publishing
  run: |
    npm install -g npm@latest
    npm --version

After merge

The v0.2.6 tag (and GitHub release) already exist but point to a commit without this fix. Once merged, the tag will be re-pointed to the fixed commit and re-pushed to re-trigger publishing — no version bump needed (0.2.6 was never published).

The publish-npm workflow relies on npm OIDC trusted publishing
(`npm publish --provenance` with id-token: write and no NPM_TOKEN). That
requires npm >= 11.5.1, but Node 20 ships npm 10.x. The required
`npm install -g npm@latest` step was added in 2d7ae74 specifically for OIDC
support and then accidentally dropped in 9c94873 ("simplify release workflow").

Without it, provenance signing succeeds but the registry PUT fails with
`E404 ... is not in this registry` -- exactly the v0.2.6 publish failure.
Restore the step so the OIDC publish is authenticated.
@pppp606 pppp606 merged commit 077d41f into main Jun 8, 2026
5 checks passed
@pppp606 pppp606 deleted the fix/publish-npm-oidc-upgrade branch June 8, 2026 06:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant