ci: Bump Node to 24 so npm 11+ ships in CI#189
Merged
Conversation
Node 22 (used by every workflow via .nvmrc) ships with npm 10.x, which predates OIDC trusted-publishing support in the npm CLI (added in npm 11.5.1). As a result, the OIDC migration from PR #186 signed provenance correctly but the subsequent PUT to the registry fell back to legacy auth and got rejected (404 "package not in this registry" is npm's response when the publishing client lacks permission and trusted-publishing isn't being negotiated). Bumping .nvmrc to 24 pulls in bundled npm 11.x, completing the OIDC publish flow. Side benefit: aligns with the consumer @athombv/node-zigbee already requiring Node 24. Leaves package.json `engines.node` at >=22 - CI baseline and the published runtime support range are separate concerns. Verified locally on Node 24.14.1 / npm 11.11.0: - `npm run lint`: pass - `npm test`: 76/76 pass - `npm run generate-types` + `tsc --noEmit index.d.ts`: clean, no drift
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The OIDC publish migrated in #186 sat at one piece short of working in CI: the runner used Node 22 (per
.nvmrc), which ships with npm 10.x. OIDC trusted-publishing support in the npm CLI was added in npm 11.5.1, so the actual publish PUT fell through to legacy auth and was rejected by the registry. Provenance still got signed (Sigstore-only path, npm >=9.5) which made the failure mode look unrelated to OIDC at first.See the failing run for the symptom: https://github.com/athombv/node-zigbee-clusters/actions/runs/26087345127/job/76703710227
Bumping
.nvmrcto 24 pulls in bundled npm 11.x, completing the OIDC flow. Side benefit: aligns with@athombv/node-zigbeewhich already requires Node 24.Out of scope
engines.nodestays at>=22- CI baseline and the published runtime support range are separate concerns and existing consumers on Node 22 shouldn't be force-bumped just because CI ran on something newer.Verified locally
Node 24.14.1 / npm 11.11.0:
npm run lintnpm testnpm run generate-types+tsc --noEmit index.d.tsindex.d.tsdriftCleanup note (not in this PR)
productionis atv3.1.0(tag + package.json) but the registry is still at the previous published version. After this lands and the next CI publish goes through with a fresh#minorbump, the registry will jump to3.2.0andv3.1.0will be an orphan tag. If that matters, publish 3.1.0 once locally with a temporary token first.