From 6c0414d8a1a354fbdf53b148497dab2f3fd17635 Mon Sep 17 00:00:00 2001
From: Radiks Alijevs <dedalik@gmail.com>
Date: Sat, 11 Apr 2026 22:48:34 +0300
Subject: [PATCH] fix(ci): avoid global npm upgrade; activate npm 11 via
 Corepack for release

---
 .github/workflows/release.yml | 11 ++++++++---
 docs/OSS_PUBLIC_REPO_SYNC.md  |  2 +-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 36d12f7..ae3b30a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,13 +20,18 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: "22"
+          # Node 22+ and npm 11.5.1+ required for Trusted Publishing (OIDC). Node 24 ships a recent toolchain.
+          node-version: "24"
           registry-url: https://registry.npmjs.org
           cache: npm
 
-      # Trusted publishing requires npm CLI >= 11.5.1 (see npm trusted-publishers docs).
+      # Do not use `npm install -g npm@...` here: it can leave the runner with a broken global npm (e.g. MODULE_NOT_FOUND: promise-retry).
+      # Activate a pinned npm 11.x via Corepack instead (meets npm >= 11.5.1 for OIDC).
       - name: Ensure npm for OIDC
-        run: npm install -g npm@^11.5.1
+        run: |
+          corepack enable
+          corepack prepare npm@11.6.3 --activate
+          npm --version
 
       - name: Verify VERSION matches tag
         run: |
diff --git a/docs/OSS_PUBLIC_REPO_SYNC.md b/docs/OSS_PUBLIC_REPO_SYNC.md
index 2c91a5e..3eef200 100644
--- a/docs/OSS_PUBLIC_REPO_SYNC.md
+++ b/docs/OSS_PUBLIC_REPO_SYNC.md
@@ -40,6 +40,6 @@ After changing `VERSION`, commit, then sync, then rebuild and run checks before
 ## CI and publish (GitHub Actions)
 
 - **CI** (`.github/workflows/ci.yml`): on every PR and push to `main` - `npm ci`, `npm run build`, `npm run engine:validate`.
-- **Release** (`.github/workflows/release.yml`): on push of tag `v*` (e.g. `v0.2.0`). The `VERSION` file must equal the tag without the `v` prefix (`0.2.0`). After bumping `VERSION`, run `npm run sync-versions`, commit, merge, then create and push the tag on that commit.
+- **Release** (`.github/workflows/release.yml`): on push of tag `v*` (e.g. `v0.2.0`). The `VERSION` file must equal the tag without the `v` prefix (`0.2.0`). After bumping `VERSION`, run `npm run sync-versions`, commit, merge, then create and push the tag on that commit. The workflow uses **Node 24** and **Corepack** to activate **npm 11.5.1+** (Trusted Publishing / OIDC); it avoids `npm install -g npm`, which can break on GitHub-hosted runners.
 - **npm:** publishing uses **Trusted Publishing** (OIDC) from this workflow file - no long-lived `NPM_TOKEN` in GitHub. Each `@kiploks/engine-*` package on npmjs.com must list this workflow under Trusted Publisher (filename must match: `release.yml`).
 - Optional: create a **GitHub Release** from the tag for notes; it does not affect npm publish.