diff --git a/.github/workflows/release.yml b/.github/workflows/publish.yml similarity index 78% rename from .github/workflows/release.yml rename to .github/workflows/publish.yml index a6d562e..bb9ccdf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/publish.yml @@ -1,4 +1,4 @@ -name: Release +name: Publish on: workflow_dispatch: @@ -31,21 +31,15 @@ jobs: - name: Setup Node.js uses: actions/setup-node@v4 with: - node-version: '22' + node-version: '20' cache: npm - - name: Activate npm 11 via corepack (required for OIDC trusted publishing) - # OIDC trusted publishing requires npm >= 11.5.1. Node 22 ships with - # npm 10.x, which falls back to traditional auth and fails with - # ENEEDAUTH. The bundled npm 10.x on the runner is corrupted — any - # `npm install -g npm@*` hits MODULE_NOT_FOUND for promise-retry. - # corepack is a Node built-in (since 16.9) that downloads package - # managers from scratch, bypassing the corrupt bundled npm entirely. - # Pinned to 11.5.1 (first version with OIDC trusted publishing - # support) for deterministic behavior. + - name: Upgrade npm (required for OIDC trusted publishing) + # OIDC trusted publishing requires npm >= 11.5.1. Node 20 ships with + # an older bundled npm but can cleanly upgrade it via `npm install -g`. + # This approach worked reliably on v1.0.5 (March 12) and earlier releases. run: | - corepack enable - corepack prepare npm@11.5.1 --activate + npm install -g npm@latest npm --version # ── Test gate ───────────────────────────────────────────────────── diff --git a/documentation/PULL_REQUESTS/2026-05-01-fix-release-node20.md b/documentation/PULL_REQUESTS/2026-05-01-fix-release-node20.md new file mode 100644 index 0000000..ba570b2 --- /dev/null +++ b/documentation/PULL_REQUESTS/2026-05-01-fix-release-node20.md @@ -0,0 +1,23 @@ +## Problem + +Our release pipeline cannot publish new versions to npm. Two separate issues both contributed, and both need to be fixed together for publishing to work again. + +**Issue 1 — the real blocker.** When we split our original release workflow into two files and then later merged them back, we renamed the publishing file from `publish.yml` to `release.yml`. But the trust relationship between this package and our GitHub repository is registered on the npm side under the old filename. Every publish attempt since then has failed authentication because the identity npm sees during the publish step no longer matches the one it trusts. + +**Issue 2 — a newer runner bug.** The current Node 22 image on GitHub Actions ships with a broken copy of `npm` that cannot install anything, including a newer version of itself. This means we cannot get to a `npm` version new enough to use our secure publishing method at all on Node 22 until GitHub fixes the image. + +## Solution + +Two changes, one for each issue: + +1. Rename the publishing workflow back to `publish.yml` so it matches what npm trusts. +2. Switch the publishing workflow to Node 20, which has a working `npm` that can be upgraded to the current stable version. + +## Impact + +Once this merges, re-running the publishing workflow in "skip version bump" mode will finish publishing the already-tagged `v1.1.0` to npm. + +# Credits + +- Nabs (Architect) +- JENA (Lead Developer)