Skip to content

ci(release): run npm publish on github-hosted runner for provenance#5312

Merged
avallete merged 2 commits into
developfrom
claude/fix-npm-provenance-runner
May 20, 2026
Merged

ci(release): run npm publish on github-hosted runner for provenance#5312
avallete merged 2 commits into
developfrom
claude/fix-npm-provenance-runner

Conversation

@avallete
Copy link
Copy Markdown
Member

@avallete avallete commented May 20, 2026

The release workflow's publish job was migrated to a Blacksmith runner in #5300, which broke npm publish:

npm error 422 Unprocessable Entity - PUT https://registry.npmjs.org/@supabase%2fcli-darwin-arm64
  - Error verifying sigstore provenance bundle:
    Unsupported GitHub Actions runner environment: "self-hosted".
    Only "github-hosted" runners are supported when publishing with provenance.

publish.ts passes --provenance to pnpm publish, which has sigstore attest the build against the runner's OIDC identity. Blacksmith runners present as self-hosted to sigstore, so npm rejects the upload with E422.

Move only the publish job back to ubuntu-latest. build and smoke-test stay on Blacksmith; publish-homebrew and publish-scoop don't go through npm/sigstore (they push to the tap/bucket repos via git) and also stay on Blacksmith. The publish job is short and not compute-bound, so the wall-clock cost of github-hosted is negligible.

Failed run that motivated this: https://github.com/supabase/cli/actions/runs/26153946606

Generated by Claude Code

@claude
fix(cli): run npm publish on github-hosted runner for provenance
f9c2387 
npm provenance verification rejects Blacksmith runners with E422
("Unsupported GitHub Actions runner environment: self-hosted"); only
github-hosted runners are accepted by sigstore for provenance
attestations.

Move the publish job back to ubuntu-latest. The job is short and not
compute-bound, so the wall-clock cost is negligible. publish-homebrew and
publish-scoop don't go through npm provenance and stay on Blacksmith.
@avallete avallete requested a review from a team as a code owner May 20, 2026 09:59
@claude
ci(release): move publish-homebrew and publish-scoop to github-hosted…
625c2e8 
… runner

Match the publish job and keep all publish-* jobs on ubuntu-latest. These
jobs only push small commits to the homebrew-tap and scoop-bucket repos,
so the wall-clock cost of a github-hosted runner is negligible and not
worth the Blacksmith optimization.
@avallete avallete enabled auto-merge (squash) May 20, 2026 10:01
@avallete avallete merged commit a6e21f7 into develop May 20, 2026
8 checks passed
@avallete avallete deleted the claude/fix-npm-provenance-runner branch May 20, 2026 10:07
@supabase-cli-releaser supabase-cli-releaser Bot mentioned this pull request May 21, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jgoux jgoux jgoux approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@avallete @jgoux @claude