Update to use latest corepack version with updated npm registry keys

[koodiohto]

Description:

Currently all our GitHub Actions workflows which use actions/setup-node@v4 fail for error:

/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:21535
  if (key == null || signature == null) throw new Error(`Cannot find matching keyid: ${JSON.stringify({ signatures, keys })}`);
                                              ^

Error: Cannot find matching keyid: {"signatures":[{"sig":"MEQCIHGqHbvc2zImUPEPFpT4grh6rMYslel+lAjFArx8+RUdAiBfnJA+bgmUvO5Lctfkq+46KKDQdx/8RhLPge3pA+EdHA==","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}
    at verifySignature (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:215[35](https://github.com/fortum/global-web/actions/runs/13108856831/job/36568265864?pr=2446#step:4:37):47)
    at fetchLatestStableVersion (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:21553:5)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async fetchLatestStableVersion2 (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:21672:14)
    at async Engine.getDefaultVersion (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:22292:23)
    at async Engine.executePackageManagerRequest (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:22390:47)
    at async Object.runMain (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:23096:5)

I think the actions/setup-node@v4 should use the latest release version of corepack where the npm registry keys have been updated.

Action version:
v4

Platform:

• Ubuntu

Runner type:

• Hosted

Tools version:

Node.js: 20.18.2
Package Manager: pnpm 9.x

Repro steps:
Use the actions/setup-node@v4 in a GitHub Actions workflow.

Expected behavior:
The setup-node action should install Node.js and configure the package manager without encountering Corepack signature verification errors.

Actual behavior:
The setup-node fails immediately due to Corepack being unable to verify the signature of the npm registry key.

[pi0]

A quick workaround is using below instead of corepack: enable

run: npm i -g --force corepack && corepack enable

[gowridurgad]

Hi @koodiohto,
Thank you for creating this issue. We will investigate it and provide feedback as soon as we have some updates.

[Jason3S]

@gowridurgad,

The workaround: npm i -g --force corepack does not work on Windows runners.

Log: 3_Install.txt

Workaround for windows is to only run on Node 23.x since it has the latest version of corepack.

[HarithaVattikuti]

Hello everyone 👋,
The setup-node action does not handle Corepack directly. Corepack is included with the official Node.js binary.

As @koodiohto correctly mentioned, Corepack updated npm registry keys in the latest version. The issue appears to be due to Corepack 0.29.4 bundled with Node.js 20.18.2, which doesn't include the updated npm registry keys. The relevant issue in nodejs/corepack#627 might be worth following for any updates from the node.js team.

To fix this issue we recommend using the latest Node.js versions if possible. Alternatively, as a potential workaround, you can use the pnpm/action-setup action before the actions/setup-node step to manage your package manager setup as shown below:

- uses: pnpm/action-setup@v4
  with:
    version: 9
- name: Setup Node.js
  uses: actions/setup-node@v4
  with:
    node-version: '20.18.2'

Hope this helps!
Please feel free to reach out in case of further concerns.
Thankyou!

[Jason3S]

@HarithaVattikuti,

Thank you for the summary. I think this issue can be closed, since it really is a NodeJS issues, not action/setup-node. Thank you for the help.

[Jason3S]

@HarithaVattikuti,

We might need some help on how to install the latest corepack on Windows. As mentioned here: nodejs/corepack #627, the installed version corepack will get picked up before the version from npm -g --force corepack@latest.

[sundy-li]

pnpm/action-setup@v4

This did not help, logs https://github.com/databendlabs/bendsql/actions/runs/13190663019/job/36822890057?pr=585

[shokohara]

@sundy-li In my case, it works if you remove following part. https://github.com/databendlabs/bendsql/actions/runs/13190663019/job/36822890057?pr=585#step:6:2

[priya-kinthali]

Hello @Jason3S👋,
We have tested the workaround and successfully installed the dependencies using the following command:
npm install --global --force corepack@latest
Please find the successful run here. Hope this helps!

Hello @sundy-li👋, Using the pnpm/action-setup@v4 action directly handles the setup of the pnpm package manager, which eliminates the need for using corepack to manage it. As @shokohara mentioned, it works if you remove the corepack part in your workflow. You could enable corepack or use this pnpm/action-setup.

Since this issue is not related to setup-node action, I am proceeding with closing for now.
Thank you all for your cooperation and understanding!

[Jason3S]

@priya-kinthali,

Hello @Jason3S👋, We have tested the workaround and successfully installed the dependencies using the following command: npm install --global --force corepack@latest Please find the successful run here. Hope this helps!

Thank you for checking. But, it still doesn't work on the standard GitHub hosted environment. I'll make an example.

[Jason3S]

@priya-kinthali,

Here is a very simple example of it failing on the standard GitHub Windows runner:

failed windows run

name: ' 🧪 Test Windows'
on:
  workflow_dispatch:
  pull_request:
  push:
    branches:
      - main
    paths-ignore:
      - 'docs/**'

permissions:
  contents: read

jobs:
  test-os:
    runs-on: ${{ matrix.os }}

    strategy:
      matrix:
        node-version:
          - 18.x
          - 20.x
          - 22.x
          - 23.x

        os:
          - windows-latest
          # - macos-latest # Smoke test is enough for now.

    steps:
      - uses: actions/checkout@v4

      - name: Setup pnpm
        uses: pnpm/action-setup@v4

      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v4.2.0
        with:
          registry-url: 'https://registry.npmjs.org'
          node-version: ${{ matrix.node-version }}
          cache: 'pnpm'

      - name: Enable Corepack
        run: |
          npm i -g --force corepack
          corepack enable
          pnpm -v
        shell: bash

[priya-kinthali]

Hello @Jason3S👋,
Thank you for reaching out and sharing the sample workflow with us!
As mentioned in my previous comment, in this case, it is recommended to use the pnpm/action-setup@v4 action to set up pnpm directly. There is no need to use corepack enable in your GitHub Actions workflow. Please find the successful run here.
Hope this helps. Thank you!

[Jason3S]

@priya-kinthali,

There are two different things going on here:

1. The search path on Windows is different than for other environments, causing npm install --global --force corepack@latest to not work. For some reason, the version of corepack installed by actions/setup-node come earlier in the search path than the global node modules. Is this something that can be adjusted in action/set-node? This bug was the main reason I needed to use corepack in the first place.
2. There are situations where corepack is needed / used. This is true for a monorepo that might have pnpm and yarn subprojects. corepack is needed to install the package managers because of the search path issues mentioned above. In my case, the general monorepo uses pnpm but it needs to test the yarn Plug'n'Play works as expected.

The workaround is to only test windows on the latest version of nodejs.

[priya-kinthali]

Hello @Jason3S 👋,

Thank you for your input. As you correctly mentioned, using the latest Node.js versions is a potential workaround to avoid the corepack signature issue. You can use the check-latest: true input with the setup-node action. This ensures you have the latest version if the cached versions on the GitHub hosted runner are not up-to-date. Hosted images come with preinstalled versions of Node.js, as detailed in the Windows 2022 Readme. The action utilises these preinstalled versions from the toolcache directory, reducing the need for repeated downloads and installations.

Additionally, the corepack bundled with Node.js in the hosted toolcache is appearing earlier in the PATH than the globally installed version, causing conflicts on Windows. This behaviour is specific to the Windows OS due to the way the PATH is constructed and managed in the environment.
You can use the following workaround to clear the hosted toolcache for corepack on GitHub-hosted runners, allowing the globally installed version to take precedence:

- name: Clear hosted toolcache for corepack
  run: Remove-Item -Recurse -Force "C:\hostedtoolcache\windows\node\$nodeVersion\x64\corepack*"

This will ensure that the globally installed version of corepack is used. Please refer to the successful run and related workflow here.
Hope this helps! Thank you for your understanding and patience!

[Jason3S]

@priya-kinthali,

Thank you for the amazing response.

[Jason3S]

At first, I wasn't sure where it put the Remove-Item.

For anyone that comes here later, this is what I ended up using:

  steps:
    - name: Setup pnpm
      uses: pnpm/action-setup@v4

    - name: Use Node.js
      uses: actions/setup-node@v4.2.0
      with:
        registry-url: 'https://registry.npmjs.org'
        node-version: 20.x
        cache: 'pnpm'

    - name: Clear hosted tool-cache for corepack
      # See: [actions/setup-node/issues/1222](https://github.com/actions/setup-node/issues/1222#issuecomment-2673608477)
      if: runner.os == 'Windows'
      run: Remove-Item -Recurse -Force (Get-Command corepack.cmd).Path
      shell: pwsh

    - name: Install Corepack
      # See: [actions/setup-node/issues/1222](https://github.com/actions/setup-node/issues/1222)
      run: |
        npm i -g --force corepack
      shell: bash

    - name: Enable Corepack
      run: |
        corepack enable
        pnpm -v
      shell: bash