ci(release): upgrade npm to 11+ for trusted-publisher OIDC auth (#121)

stackbilt-admin · Kurt Overmier · claude · web-flow · commit ef66cd2b20ad · 2026-04-18T06:45:30.000-05:00
The prior fix (#120) removed token plumbing expecting npm's `--provenance` flag to drive OIDC-based publish auth. It doesn't — `--provenance` only signs attestations via OIDC. Publish auth via OIDC for trusted publishers requires **npm 11.5.1+**, which is newer than what setup-node bundles with Node 20 (currently ~10.x). Result: v0.12.0 publish returned ENEEDAUTH — the CLI had no token (correct end state) but didn't know how to use OIDC for auth. Fix: install npm@latest globally before the publish step. 11.12.1 as of 2026-04-18 has first-class trusted-publisher OIDC auth. Co-authored-by: Kurt Overmier <kurt@stackbilt.dev> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -115,6 +115,11 @@ jobs:
           node-version: '20'
           cache: 'pnpm'
 
+      # npm 11.5.1+ required for trusted-publisher OIDC auth on publish.
+      # The version bundled with Node 20 on setup-node is ~10.x.
+      - name: Upgrade npm for trusted-publisher support
+        run: npm install -g npm@latest
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
