fix: remove npm self-upgrade step that breaks release CI#838
Merged
m-abdelwahab merged 1 commit intomasterfrom Apr 10, 2026
Merged
fix: remove npm self-upgrade step that breaks release CI#838m-abdelwahab merged 1 commit intomasterfrom
m-abdelwahab merged 1 commit intomasterfrom
Conversation
`npm install -g npm@latest` now resolves to npm 11.x, which causes a fatal cross-major self-upgrade on runners bundling npm 10.x (Node 22). The step was only needed for OIDC/provenance support, which has been built into npm since 9.5.0 — Node 22's bundled npm 10.9.7 already has it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
m-abdelwahab
force-pushed
the
mahmoud/fix-ci-release
branch
from
e4adc42 to
1a3a40b
Compare
m-abdelwahab
added a commit
that referenced
this pull request
Apr 13, 2026
The Publish NPM job has been failing since v4.37.0. Root cause: npm 10 (bundled with Node 22) can sign provenance via OIDC but cannot authenticate the registry upload itself via trusted publishing — that requires npm >= 11.5.1. With no NODE_AUTH_TOKEN secret configured, the publish fell through to an anonymous PUT, which the registry rejected as a 404 (the standard response for scoped packages when auth is missing). Bump the runner to Node 24, which bundles npm 11.x, and assert the version at runtime so any future regression fails loudly instead of silently falling back. Drop --provenance since trusted publishing attaches it automatically. This supersedes #838, which removed the npm self-upgrade step after npm@latest started cross-major upgrading and corrupting itself mid-install. Using Node 24's bundled npm avoids both the corruption and the self-upgrade entirely. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
m-abdelwahab
added a commit
that referenced
this pull request
Apr 13, 2026
The Publish NPM job has been failing since v4.37.0. Root cause: npm 10 (bundled with Node 22) can sign provenance via OIDC but cannot authenticate the registry upload itself via trusted publishing — that requires npm >= 11.5.1. With no NODE_AUTH_TOKEN secret configured, the publish fell through to an anonymous PUT, which the registry rejected as a 404 (the standard response for scoped packages when auth is missing). Bump the runner to Node 24, which bundles npm 11.x. Drop --provenance since trusted publishing attaches it automatically. This supersedes #838, which removed the npm self-upgrade step after npm@latest started cross-major upgrading and corrupting itself mid-install. Using Node 24's bundled npm avoids both the corruption and the self-upgrade entirely. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
m-abdelwahab
added a commit
that referenced
this pull request
Apr 13, 2026
The Publish NPM job has been failing since v4.37.0. Root cause: npm 10 (bundled with Node 22) can sign provenance via OIDC but cannot authenticate the registry upload itself via trusted publishing — that requires npm >= 11.5.1. With no NODE_AUTH_TOKEN secret configured, the publish fell through to an anonymous PUT, which the registry rejected as a 404 (the standard response for scoped packages when auth is missing). Bump the runner to Node 24, which bundles npm 11.x. Drop --provenance since trusted publishing attaches it automatically. Also bump actions/setup-node to v6 — v4 runs on Node 20 internally, which GitHub is deprecating. This supersedes #838, which removed the npm self-upgrade step after npm@latest started cross-major upgrading and corrupting itself mid-install. Using Node 24's bundled npm avoids both the corruption and the self-upgrade entirely. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
5 tasks
m-abdelwahab
added a commit
that referenced
this pull request
Apr 13, 2026
The Publish NPM job has been failing since v4.37.0. Root cause: npm 10 (bundled with Node 22) can sign provenance via OIDC but cannot authenticate the registry upload itself via trusted publishing — that requires npm >= 11.5.1. With no NODE_AUTH_TOKEN secret configured, the publish fell through to an anonymous PUT, which the registry rejected as a 404 (the standard response for scoped packages when auth is missing). Bump the runner to Node 24, which bundles npm 11.x. Drop --provenance since trusted publishing attaches it automatically. Also bump actions/setup-node to v6 — v4 runs on Node 20 internally, which GitHub is deprecating. This supersedes #838, which removed the npm self-upgrade step after npm@latest started cross-major upgrading and corrupting itself mid-install. Using Node 24's bundled npm avoids both the corruption and the self-upgrade entirely. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
m-abdelwahab
added a commit
that referenced
this pull request
Apr 13, 2026
The Publish NPM job has been failing since v4.37.0. Root cause: npm 10 (bundled with Node 22) can sign provenance via OIDC but cannot authenticate the registry upload itself via trusted publishing — that requires npm >= 11.5.1. With no NODE_AUTH_TOKEN secret configured, the publish fell through to an anonymous PUT, which the registry rejected as a 404 (the standard response for scoped packages when auth is missing). Bump the runner to Node 24, which bundles npm 11.x. Drop --provenance since trusted publishing attaches it automatically. Also bump actions/setup-node to v6 — v4 runs on Node 20 internally, which GitHub is deprecating. This supersedes #838, which removed the npm self-upgrade step after npm@latest started cross-major upgrading and corrupting itself mid-install. Using Node 24's bundled npm avoids both the corruption and the self-upgrade entirely. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
npm install -g npm@lateststep from the "Publish NPM" job in the release workflownpm@latestnow resolves to npm 11.x, which causes a fatal cross-major self-upgrade when the runner bundles npm 10.x (Node 22). npm removes its own dependencies (likepromise-retry) mid-install, leaving itself corrupted.Context
npm@lateststill resolved to 10.xnpm@latestnow resolves to 11.12.1, cross-major self-upgrade breaksTest plan
🤖 Generated with Claude Code