mirror of
https://github.com/railwayapp/cli
synced 2026-04-21 14:07:23 +00:00
fix(ci): use npm trusted publishing via OIDC on Node 24 (#842)
The Publish NPM job has been failing since v4.37.0. Root cause: npm 10 (bundled with Node 22) can sign provenance via OIDC but cannot authenticate the registry upload itself via trusted publishing — that requires npm >= 11.5.1. With no NODE_AUTH_TOKEN secret configured, the publish fell through to an anonymous PUT, which the registry rejected as a 404 (the standard response for scoped packages when auth is missing). Bump the runner to Node 24, which bundles npm 11.x. Drop --provenance since trusted publishing attaches it automatically. Also bump actions/setup-node to v6 — v4 runs on Node 20 internally, which GitHub is deprecating. This supersedes #838, which removed the npm self-upgrade step after npm@latest started cross-major upgrading and corrupting itself mid-install. Using Node 24's bundled npm avoids both the corruption and the self-upgrade entirely. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mahmoud Abdelwahab
GitHub
parent
f2dd41f055
commit
8da480744a
1 changed files with 3 additions and 3 deletions
6
.github/workflows/release.yml
vendored
6
.github/workflows/release.yml
vendored
|
|
@ -225,13 +225,13 @@ jobs:
|
|||
uses: actions/checkout@v4
|
||||
|
||||
- name: Use Node.js
|
||||
uses: actions/setup-node@v4
|
||||
uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version: 22
|
||||
node-version: 24
|
||||
registry-url: 'https://registry.npmjs.org'
|
||||
|
||||
- name: NPM publish
|
||||
run: npm publish --access public --provenance
|
||||
run: npm publish --access public
|
||||
|
||||
notify-release:
|
||||
name: Notify Release
|
||||
|
|
|
|||
Loading…
Reference in a new issue