chore: update Node.js version handling in release workflow

[olliethedev]

Summary

• fix issue with npm@latest

Type of change

• Bug fix
• New plugin
• Feature / enhancement to an existing plugin
• Documentation
• Chore / refactor / tooling

Checklist

• pnpm build passes
• pnpm typecheck passes
• pnpm lint passes
• Tests added or updated (unit and/or E2E)
• Docs updated (docs/content/docs/) if consumer-facing types or behavior changed
• All three codegen-projects create successfully and pass E2E tests
• New plugin: submission checklist in CONTRIBUTING.md completed

Screenshots

---

Note

Low Risk
Low risk CI-only change that adjusts Node version selection and removes the global npm@latest update step; impact is limited to release pipeline behavior.

Overview
Updates the release GitHub Actions workflow to source the Node.js version from .nvmrc instead of hardcoding 22.x.

Removes the step that globally installs npm@latest, avoiding release failures tied to npm upgrades while leaving the rest of the publish flow unchanged.

^{Reviewed by Cursor Bugbot for commit 697b8fc. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
better-stack-docs	Ready	Preview, Comment	Apr 8, 2026 10:53pm
better-stack-playground	Ready	Preview, Comment	Apr 8, 2026 10:53pm

[cursor]

Security Review — No High-Confidence Vulnerabilities Found

This PR makes two changes to .github/workflows/release.yml:

1. node-version: 22.x → node-version-file: '.nvmrc'

Assessment: No security regression; minor improvement.

.nvmrc currently pins 22.18.0 — a fully-qualified version — which is more specific than the previous 22.x floating selector. The workflow checks out the tagged release commit (ref: ${{ github.event.release.tag_name }}), so the .nvmrc used is the one committed at that tag, making the Node.js version auditable and reproducible per release.

2. Removal of npm install -g npm@latest

Assessment: Security improvement.

The removed step fetched an unversioned, runtime-resolved package from the npm registry on every release run. Removing it eliminates a live supply-chain dependency; the release now uses the npm version bundled with the pinned Node.js 22.18.0, whose integrity is guaranteed by the actions/setup-node action.

Other observations (pre-existing, not introduced by this PR)

The Verify tag matches package version step embeds ${{ github.event.release.tag_name }} directly into a shell script. While tag names are maintainer-controlled and already scoped to the release: [published] trigger, this pattern is worth noting as a general hygiene item for future hardening (e.g., assign to an env var and reference $ENV_VAR instead of inlining the expression). This is pre-existing and out of scope for this review.

---

No vulnerabilities are introduced or exposed by the diff under review.

  

_{Sent by Cursor Automation: Find vulnerabilities}