From 6f12a39fcf7b20350d57eeb7cc11450018d03d19 Mon Sep 17 00:00:00 2001
From: Theo Ephraim <theo@dmno.dev>
Date: Mon, 25 May 2026 15:47:37 -0700
Subject: [PATCH] fix: add npm install -g npm@latest to workflow examples and
 release workflow

Node latest (v24) ships with npm 11.13.0 which is too old for staged
publishing (>= 11.15.0). The explicit npm upgrade step is required.
---
 .bumpy/npm-upgrade-step.md     | 5 +++++
 .github/workflows/release.yaml | 3 ++-
 README.md                      | 3 ++-
 docs/github-actions.md         | 6 ++++--
 4 files changed, 13 insertions(+), 4 deletions(-)
 create mode 100644 .bumpy/npm-upgrade-step.md

diff --git a/.bumpy/npm-upgrade-step.md b/.bumpy/npm-upgrade-step.md
new file mode 100644
index 0000000..8ad538d
--- /dev/null
+++ b/.bumpy/npm-upgrade-step.md
@@ -0,0 +1,5 @@
+---
+'@varlock/bumpy': none
+---
+
+true
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 6c89c08..96ee3df 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -19,10 +19,11 @@ jobs:
         with:
           fetch-depth: 0
       - uses: oven-sh/setup-bun@v2
-      # Node.js (npm) is needed for npm publish — latest includes npm >= 11.x for OIDC/staged
+      # Node.js (npm) is needed for npm publish
       - uses: actions/setup-node@v6
         with:
           node-version: latest
+      - run: npm install -g npm@latest # ensure npm >= 11.15.0 for staged publishing
       - run: bun install
 
       # --- You wont need this part ---
diff --git a/README.md b/README.md
index 980159a..46a9f3b 100644
--- a/README.md
+++ b/README.md
@@ -129,7 +129,8 @@ jobs:
       - uses: oven-sh/setup-bun@v2
       - uses: actions/setup-node@v6
         with:
-          node-version: latest # Node LTS ships with npm 10.x; latest includes npm >= 11.x for OIDC/staged
+          node-version: latest
+      - run: npm install -g npm@latest # ensure npm >= 11.15.0 for OIDC/staged publishing
       - run: bun install
       - run: bunx @varlock/bumpy ci release
         env:
diff --git a/docs/github-actions.md b/docs/github-actions.md
index 404bd8c..ca458bd 100644
--- a/docs/github-actions.md
+++ b/docs/github-actions.md
@@ -35,7 +35,7 @@ jobs:
 
 ### Trusted publishing (OIDC — recommended)
 
-No `NPM_TOKEN` secret needed. Use `node-version: latest` (not `lts/*`) since Node LTS ships with npm 10.x, while OIDC requires >= 11.5.1 and staged publishing requires >= 11.15.0.
+No `NPM_TOKEN` secret needed. Requires npm >= 11.5.1 for OIDC (>= 11.15.0 for staged publishing) — add `npm install -g npm@latest` since even Node latest may not ship with a new enough npm.
 
 ```yaml
 # .github/workflows/bumpy-release.yml
@@ -62,7 +62,8 @@ jobs:
       - uses: oven-sh/setup-bun@v2
       - uses: actions/setup-node@v6
         with:
-          node-version: latest # Node LTS ships with npm 10.x; latest includes npm >= 11.x for OIDC/staged
+          node-version: latest
+      - run: npm install -g npm@latest # ensure npm >= 11.15.0 for OIDC/staged publishing
       - run: bun install
       - run: bunx @varlock/bumpy ci release
         env:
@@ -157,6 +158,7 @@ jobs:
       - uses: actions/setup-node@v6
         with:
           node-version: latest
+      - run: npm install -g npm@latest
       - run: bun install
 
       - id: plan