From 5a39f0a3e916142f0c05aed0ae2b75ee5d6881ce Mon Sep 17 00:00:00 2001 From: irl-dan <97565471+irl-dan@users.noreply.github.com> Date: Fri, 22 May 2026 17:52:11 -0700 Subject: [PATCH] fix: upgrade npm for reactor trusted publish --- .../scripts/verify-reactor-publish-workflow.test.mjs | 10 ++++++++++ .github/workflows/ci-reactor-package.yml | 3 +++ 2 files changed, 13 insertions(+) diff --git a/.github/scripts/verify-reactor-publish-workflow.test.mjs b/.github/scripts/verify-reactor-publish-workflow.test.mjs index 4931d7e..6b9a4ee 100644 --- a/.github/scripts/verify-reactor-publish-workflow.test.mjs +++ b/.github/scripts/verify-reactor-publish-workflow.test.mjs @@ -30,6 +30,11 @@ test('reactor package workflow runs publish path only for reactor-v* tags', asyn /id-token: write/, 'publish job must request OIDC id-token permission for npm provenance', ); + assert.match( + publishJob, + /npm install -g npm@11\.5\.1/, + 'publish job must upgrade npm to a Trusted Publishing-capable CLI before provenance publish', + ); assert.doesNotMatch( extractJob(source, 'ci'), /npm publish/, @@ -113,6 +118,11 @@ test('reactor package workflow publishes both smoked tarballs with provenance', 'publish job must rely on npm trusted publishing/OIDC without token fallback', ); assertInOrder(publishJob, 'Publish Reactor package', 'Publish Cradle package'); + assertInOrder( + publishJob, + 'Upgrade npm for trusted publishing', + 'Publish Reactor package', + ); assert.doesNotMatch( publishJob, /--dry-run/, diff --git a/.github/workflows/ci-reactor-package.yml b/.github/workflows/ci-reactor-package.yml index 48bc9d2..baf300e 100644 --- a/.github/workflows/ci-reactor-package.yml +++ b/.github/workflows/ci-reactor-package.yml @@ -169,6 +169,9 @@ jobs: with: node-version: 22 + - name: Upgrade npm for trusted publishing + run: npm install -g npm@11.5.1 + - name: Download Reactor tarball uses: actions/download-artifact@v4 with: