From 1f8c76ba0f307c4719c64f6138c6857a2cc752f2 Mon Sep 17 00:00:00 2001 From: Freeman Date: Fri, 1 May 2026 10:55:21 +0100 Subject: [PATCH 1/4] ci: use node 20 in release workflow to avoid node 22.22.2 npm bug MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The node 22.22.2 runner images ship a broken bundled npm 10.9.7 that cannot install npm@* (MODULE_NOT_FOUND: promise-retry). This breaks our OIDC publish path which requires npm >= 11.5.1. Node 20 LTS has an older, working bundled npm that reliably upgrades via `npm install -g npm@latest`. This matches the setup that worked for v1.0.5 on March 12 (node 22.22.0 + npm 10.9.4 → upgraded to 11.11.1). Restore `npm install -g npm@latest` since it works on Node 20's bundled npm. Drop the corepack approach which failed to activate correctly. --- .github/workflows/release.yml | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a6d562e..cc88628 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,21 +31,15 @@ jobs: - name: Setup Node.js uses: actions/setup-node@v4 with: - node-version: '22' + node-version: '20' cache: npm - - name: Activate npm 11 via corepack (required for OIDC trusted publishing) - # OIDC trusted publishing requires npm >= 11.5.1. Node 22 ships with - # npm 10.x, which falls back to traditional auth and fails with - # ENEEDAUTH. The bundled npm 10.x on the runner is corrupted — any - # `npm install -g npm@*` hits MODULE_NOT_FOUND for promise-retry. - # corepack is a Node built-in (since 16.9) that downloads package - # managers from scratch, bypassing the corrupt bundled npm entirely. - # Pinned to 11.5.1 (first version with OIDC trusted publishing - # support) for deterministic behavior. + - name: Upgrade npm (required for OIDC trusted publishing) + # OIDC trusted publishing requires npm >= 11.5.1. Node 20 ships with + # an older bundled npm but can cleanly upgrade it via `npm install -g`. + # This approach worked reliably on v1.0.5 (March 12) and earlier releases. run: | - corepack enable - corepack prepare npm@11.5.1 --activate + npm install -g npm@latest npm --version # ── Test gate ───────────────────────────────────────────────────── From 34e517c344112d48f69398e298e3b7808e5c0980 Mon Sep 17 00:00:00 2001 From: Freeman Date: Fri, 1 May 2026 10:55:28 +0100 Subject: [PATCH 2/4] docs: add PR write-up for Use Node 20 in release workflow to unblock npm publish --- .../2026-05-01-fix-release-node20.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 documentation/PULL_REQUESTS/2026-05-01-fix-release-node20.md diff --git a/documentation/PULL_REQUESTS/2026-05-01-fix-release-node20.md b/documentation/PULL_REQUESTS/2026-05-01-fix-release-node20.md new file mode 100644 index 0000000..954ec06 --- /dev/null +++ b/documentation/PULL_REQUESTS/2026-05-01-fix-release-node20.md @@ -0,0 +1,16 @@ +## Problem + +Two previous attempts to unblock the stalled `v1.1.0` npm publish both failed. The underlying issue, now confirmed from build logs, is a bug in the version of `npm` that comes pre-installed on the current Node 22 runner image. Our previous successful releases used an older Node 22 sub-version that had a working `npm`. + +## Solution + +Switch the release workflow to Node 20, which has a stable pre-installed `npm` that can be upgraded to the version we need for secure publishing. Node 20 is the current long-term-support version and works fine for publishing — the choice of Node only affects the build/publish environment, not what end users run our tool on (our test matrix still covers Node 18/20/22 for the user-facing code). + +## Impact + +Once this merges, re-running the release workflow in skip-bump mode should finally publish the already-tagged `v1.1.0` to npm. + +# Credits + +- Nabs (Architect) +- JENA (Lead Developer) From 3df37f1e993134d083b016eb967128f174987840 Mon Sep 17 00:00:00 2001 From: Freeman Date: Fri, 1 May 2026 11:01:32 +0100 Subject: [PATCH 3/4] ci: rename release.yml to publish.yml to match npm trusted publisher The npm Trusted Publisher for fullcontext is registered for the workflow filename publish.yml, but the file was renamed to release.yml in March when the two-step release + publish workflows were merged. The OIDC token presented to npm during publish contains the current filename, so the mismatch rejected auth with ENEEDAUTH on every attempt since. Rename back to publish.yml (matching the registered config) and update the workflow name to "Publish" for consistency. This is the real root cause of the failed publishes; the Node 20 + npm upgrade restoration in the previous commit is still needed for the runner's broken bundled npm. --- .github/workflows/{release.yml => publish.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename .github/workflows/{release.yml => publish.yml} (99%) diff --git a/.github/workflows/release.yml b/.github/workflows/publish.yml similarity index 99% rename from .github/workflows/release.yml rename to .github/workflows/publish.yml index cc88628..bb9ccdf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/publish.yml @@ -1,4 +1,4 @@ -name: Release +name: Publish on: workflow_dispatch: From 8881851965c0eb14a562723aade87bc6aa00ca62 Mon Sep 17 00:00:00 2001 From: Freeman Date: Fri, 1 May 2026 11:02:21 +0100 Subject: [PATCH 4/4] docs: update PR write-up for Use Node 20 in release workflow to unblock npm publish --- .../PULL_REQUESTS/2026-05-01-fix-release-node20.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/documentation/PULL_REQUESTS/2026-05-01-fix-release-node20.md b/documentation/PULL_REQUESTS/2026-05-01-fix-release-node20.md index 954ec06..ba570b2 100644 --- a/documentation/PULL_REQUESTS/2026-05-01-fix-release-node20.md +++ b/documentation/PULL_REQUESTS/2026-05-01-fix-release-node20.md @@ -1,14 +1,21 @@ ## Problem -Two previous attempts to unblock the stalled `v1.1.0` npm publish both failed. The underlying issue, now confirmed from build logs, is a bug in the version of `npm` that comes pre-installed on the current Node 22 runner image. Our previous successful releases used an older Node 22 sub-version that had a working `npm`. +Our release pipeline cannot publish new versions to npm. Two separate issues both contributed, and both need to be fixed together for publishing to work again. + +**Issue 1 — the real blocker.** When we split our original release workflow into two files and then later merged them back, we renamed the publishing file from `publish.yml` to `release.yml`. But the trust relationship between this package and our GitHub repository is registered on the npm side under the old filename. Every publish attempt since then has failed authentication because the identity npm sees during the publish step no longer matches the one it trusts. + +**Issue 2 — a newer runner bug.** The current Node 22 image on GitHub Actions ships with a broken copy of `npm` that cannot install anything, including a newer version of itself. This means we cannot get to a `npm` version new enough to use our secure publishing method at all on Node 22 until GitHub fixes the image. ## Solution -Switch the release workflow to Node 20, which has a stable pre-installed `npm` that can be upgraded to the version we need for secure publishing. Node 20 is the current long-term-support version and works fine for publishing — the choice of Node only affects the build/publish environment, not what end users run our tool on (our test matrix still covers Node 18/20/22 for the user-facing code). +Two changes, one for each issue: + +1. Rename the publishing workflow back to `publish.yml` so it matches what npm trusts. +2. Switch the publishing workflow to Node 20, which has a working `npm` that can be upgraded to the current stable version. ## Impact -Once this merges, re-running the release workflow in skip-bump mode should finally publish the already-tagged `v1.1.0` to npm. +Once this merges, re-running the publishing workflow in "skip version bump" mode will finish publishing the already-tagged `v1.1.0` to npm. # Credits