ci: run npm publish via npx-pinned npm@latest for OIDC#19
Merged
Conversation
Replaces the failed-self-upgrade path. `npm install -g npm@latest` under npm 10 corrupts mid-overwrite (npm 11 dropped promise-retry, which the in-flight rebuild step still requires) and exits with MODULE_NOT_FOUND. Trusted Publishing needs npm 11.5.1+ for OIDC auto-detection. `npx --package=npm@latest -- npm publish ...` runs an isolated npm 11 from the npx cache without mutating the system npm. OIDC token env vars (ACTIONS_ID_TOKEN_REQUEST_URL/_TOKEN) are inherited, so provenance + Trusted Publishing both work. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #18. The first nightly attempt with #18's
npm install -g npm@latestfailed withMODULE_NOT_FOUND: Cannot find module 'promise-retry'— a known fragility where npm 10 partially self-overwrites with npm 11 (which droppedpromise-retry), but the in-flight rebuild step still requires it.Switching to
npx --package=npm@latest -- npm publish .... npx fetches npm@latest into its cache and invokes that isolated binary, so the system npm stays at 10.x and never mutates itself. The OIDC env vars (ACTIONS_ID_TOKEN_REQUEST_URL/_TOKEN) are process-env, so the npx subprocess inherits them — provenance + Trusted Publishing both still work.Why not bump Node to 24?
Node 24 ships with npm 11 baked in, which would also work — but mise.toml pins Node 22 for contributor dev consistency. Bumping just CI's setup-node to 24 fights with mise-action's PATH order, and bumping mise.toml is a bigger contributor-facing change. The npx-pinned approach is local to the publish step and decoupled from runtime Node.
Test plan
cli-bridge@0.1.2-nightly.<date>.<sha>to land on npm withdist-tag=nightly.lateststays at0.1.2.npm view cli-bridge@nightlyreturns the new version.🤖 Generated with Claude Code