Skip to content

Activate npm 11 via corepack to unblock release publish #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nabilfreeman merged 2 commits into from
May 1, 2026
Merged

Activate npm 11 via corepack to unblock release publish #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f3e2a49
ci: use corepack to activate npm 11 instead of npm self-upgrade
nabilfreeman May 1, 2026
ea3679d
docs: add PR write-up for Activate npm 11 via corepack to unblock rel…
nabilfreeman May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 11 additions & 7 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,15 +34,19 @@ jobs:
node-version: '22'
cache: npm

- name: Upgrade npm (required for OIDC trusted publishing)
- name: Activate npm 11 via corepack (required for OIDC trusted publishing)
# OIDC trusted publishing requires npm >= 11.5.1. Node 22 ships with
# npm 10.x, which falls back to traditional auth and fails with
# ENEEDAUTH. We pin to npm@11 (major range) rather than @latest to
# avoid a MODULE_NOT_FOUND bug in the bundled npm's self-upgrade
# path when targeting @latest. If this ever breaks, a corepack-based
# fallback (`corepack prepare npm@latest --activate`) is the next
# option to try.
run: npm install -g npm@11
# ENEEDAUTH. The bundled npm 10.x on the runner is corrupted — any
# `npm install -g npm@*` hits MODULE_NOT_FOUND for promise-retry.
# corepack is a Node built-in (since 16.9) that downloads package
# managers from scratch, bypassing the corrupt bundled npm entirely.
# Pinned to 11.5.1 (first version with OIDC trusted publishing
# support) for deterministic behavior.
run: |
corepack enable
corepack prepare npm@11.5.1 --activate
npm --version

# ── Test gate ─────────────────────────────────────────────────────
# Install, build, and test BEFORE any mutating action (version bump,
Expand Down
20 changes: 20 additions & 0 deletions documentation/PULL_REQUESTS/2026-05-01-fix-release-corepack.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
## Problem

Our release pipeline is currently unable to publish new versions to npm. The step that upgrades the installed `npm` to a version new enough to use our secure authentication method fails with an internal error — not because the target version is wrong, but because the copy of `npm` preinstalled on our build server has corrupted dependencies and cannot install anything, including itself.

This has left `v1.1.0` tagged and released on GitHub but not actually published to npm.

## Solution

Switch to a different mechanism for installing the newer `npm`. Instead of asking the broken `npm` to upgrade itself, use the package-manager manager that ships with Node (built in since 2021) to download the version we need directly from the registry.

This bypasses the corrupt installation entirely and is the approach recommended by the Node team for this exact situation.

## Impact

Once this merges, the release workflow can be re-run in "skip bump" mode to finish publishing the stalled `v1.1.0` to npm.

# Credits

- Nabs (Architect)
- JENA (Lead Developer)
Loading