From e92b99ee56aeda5214b5f0756c5f6ccca14ee538 Mon Sep 17 00:00:00 2001
From: milstan <milstan@gmail.com>
Date: Wed, 20 May 2026 11:38:10 -0700
Subject: [PATCH] ci(release): drop sudo so npm upgrade lands in setup-node's
 PATH
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Previous PR ran `sudo npm install -g npm@latest` which installs to
/usr/local/lib/node_modules — outside setup-node's bin prefix. The
next `npm` call kept resolving to the runner-bundled npm 10.9.7
(visible in the failed run's `npm --version` output), which doesn't
speak Trusted Publishers OIDC. Result: publish attempted token-style
auth with no token, got 404.

Without sudo, the install goes into setup-node's writable prefix
(/opt/hostedtoolcache/node/.../bin/), so `npm --version` reflects the
upgrade and OIDC kicks in.

Also: echo `npm $(npm --version) at $(which npm)` for next-time
debuggability.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9bac02a..c073061 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -119,10 +119,15 @@ jobs:
         working-directory: packages/mcp
         run: |
           set -euo pipefail
+          # Install npm@latest into the setup-node prefix (writable; no
+          # sudo). The runner image bundles npm 10.x with Node 22, but
+          # Trusted Publishers OIDC requires npm ≥ 11.5.1. Using `sudo`
+          # would install to /usr/local — outside setup-node's PATH —
+          # leaving the next `npm` call still pointing at 10.x.
           # `--force` works around a MODULE_NOT_FOUND (promise-retry)
-          # error when npm upgrades itself in-place on the runner image.
-          sudo npm install -g npm@latest --force
-          npm --version
+          # error when npm upgrades itself in-place.
+          npm install -g npm@latest --force
+          echo "npm $(npm --version) at $(which npm)"
           VERSION=$(node -p "require('./package.json').version")
           # Idempotent: if @leadbay/mcp@$VERSION is already on npm, skip.
           if npm view "@leadbay/mcp@$VERSION" version --silent 2>/dev/null; then