From 113bc1818f1260cc4801ae9661ce26f905ed36ee Mon Sep 17 00:00:00 2001
From: Pavel Tcholakov <pavel@restate.dev>
Date: Wed, 6 May 2026 21:36:18 +0200
Subject: [PATCH] Pin npm to 10.x for OIDC trusted publishing (npm 11 breaks
 ENEEDAUTH on empty token)

---
 .github/workflows/publish.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5d53f1f..5deb59c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -23,10 +23,10 @@ jobs:
           node-version: "22.x"
           registry-url: "https://registry.npmjs.org"
 
-      # npm 11.5.1+ required for trusted publishing with OIDC. Use corepack rather than `npm install -g npm@latest`,
-      # which fails on the Node 22 runner image due to a missing dependency in the bundled npm's global-install path.
+      # npm 11 breaks OIDC trusted publishing (ENEEDAUTH on empty NODE_AUTH_TOKEN).
+      # Pin to npm 10 via corepack until the regression is fixed upstream.
       - run: corepack enable
-      - run: corepack install -g npm@latest
+      - run: corepack install -g npm@10
       - run: npm ci
 
       # Release: update version BEFORE build so artifacts have correct version