Skip to content

ci(release): npm@latest preflight for OIDC + consume vestigial changeset (first-publish-ready)#41

Merged
ignromanov merged 4 commits into
mainfrom
056-phase3-a4-release-yml
Jun 4, 2026
Merged

ci(release): npm@latest preflight for OIDC + consume vestigial changeset (first-publish-ready)#41
ignromanov merged 4 commits into
mainfrom
056-phase3-a4-release-yml

Conversation

@ignromanov
Copy link
Copy Markdown
Contributor

@ignromanov ignromanov commented Jun 3, 2026
edited
Loading

Part of #17. Reworked after Shade co-review (P0-1, P0-2, P1-1).

What this changes

P0-1 — pnpm 11.5.1 (OIDC trusted publishing)

Bumps packageManager in root package.json from pnpm@10.24.0 to pnpm@11.5.1. pnpm OIDC trusted publishing landed in 11.0.7; the .npmrc placeholder 404 fix in 11.1.3. pnpm/action-setup reads packageManager from package.json — no explicit version: needed in workflows; both release.yml and ci.yml pick it up automatically.

engines.pnpm bumped to >=11 to match.

pnpm 11 migration side-effects (required for --frozen-lockfile to pass in CI):

  • pnpm.overrides moved from package.json's "pnpm" field to pnpm-workspace.yaml (pnpm 11 no longer reads the old location)
  • allowBuilds added for @swc/core and esbuild in pnpm-workspace.yaml (pnpm 11 build-approval gate)
  • pnpm install ran clean; lockfile unchanged (resolution skipped, already up-to-date)
  • pnpm install --frozen-lockfile passes: Done in 384ms using pnpm v11.5.1

P0-2 — Remove npm install -g npm@latest

Deleted the step added in the first round. pnpm changeset publish uses pnpm to publish, not npm; upgrading the npm CLI has no effect on pnpm's OIDC trusted publishing. The step was a no-op and introduced a mutable dependency.

P1-1 — Re-pin actions/checkout to real v6.0.3 SHA

Prior pin df4cb1c069e1874edd31b4311f1884172cec0e10 resolved to the mutable v6 major tag while the comment said v6.0.3. Re-pinned to 9f698171ed81b15d1823a05fc7211befd50c8ae0 (real v6.0.3). Only release.yml updated (ci.yml same mis-pin is a separate P2 follow-up).

Vestigial changeset removal (carried from first round — passed review)

Deletes .changeset/initial-release-0-1-0.md. Content preserved in the three CHANGELOG.md files as proper ## 0.1.0 entries. changeset publish fires on the 0.0.0→0.1.0 version delta without a changeset version step (Design A manual versioning).

Dry-run results

Package Version Files
@void-layer/codec 0.1.0 29
@void-layer/types 0.1.0 22
@void-layer/networks 0.1.0 40

pnpm install --frozen-lockfile → exit 0 (pnpm v11.5.1, lockfile unchanged)
pnpm -r build → exit 0
pnpm -w lint → exit 0

Do NOT merge until

  • Ignat confirms first-publish timing
  • Release workflow triggered manually (workflow_dispatch) — not by this PR merge

ignromanov added 4 commits June 3, 2026 17:24
@ignromanov
ci(release): add npm@latest preflight for OIDC trusted publishing
71c436b 
npm OIDC trusted publishing requires npm CLI >= 11.5.1. Node 24's bundled
npm may be older. Install latest npm globally after setup-node and before
pnpm changeset publish.
@ignromanov
chore(release): consume vestigial changeset into CHANGELOG entries (D…
322d813 
…esign A)

The initial-release-0-1-0.md changeset was vestigial: its intent (minor
bump to 0.1.0) is already encoded in the package.json versions. Deleting
it prevents a `changeset version` double-bump to 0.2.0 (Design A manual
versioning).

Content preserved: codec CHANGELOG consolidated from two stub entries into
one clean ## 0.1.0 section; types and networks CHANGELOGs expanded with
changeset description text so the record is not lost.
@ignromanov
ci(release): pnpm 11.5.1 + correct checkout pin + rm npm preflight (S…
fab537a 
…hade review)

P0-1: bump packageManager to pnpm@11.5.1 (OIDC trusted publishing requires
pnpm >= 11.0.7; .npmrc placeholder fix >= 11.1.3). pnpm/action-setup reads
packageManager from root package.json — no explicit version: in workflows.
engines.pnpm bumped to >=11 to match.

pnpm 11 migration side-effects (required for frozen-lockfile to pass):
- pnpm.overrides moved from package.json "pnpm" field to pnpm-workspace.yaml
- allowBuilds added for @swc/core and esbuild (pnpm 11 build-approval gate)
- pnpm install ran clean; lockfile unchanged (resolution skipped, up-to-date)

P0-2: remove "npm install -g npm@latest" step — pnpm publishes, not npm;
upgrading npm CLI version has no effect on OIDC trusted publishing.

P1-1: re-pin actions/checkout to 9f698171 (real v6.0.3 SHA; prior pin
df4cb1c resolved to mutable v6 tag but comment falsely said v6.0.3).
@ignromanov
ci: remove explicit pnpm version: from all action-setup steps (single…
33bef4e 
… source)

ERR_PNPM_BAD_PM_VERSION fired in CI because pnpm/action-setup had
version: 10.24.0 hardcoded while packageManager is now pnpm@11.5.1.
Remove the version: input from all three pnpm/action-setup steps in
ci.yml (lint-and-build, vector-parity, ts-rust-parity jobs) so
action-setup reads the version from packageManager — one source, no
conflict. release.yml was already fixed in the prior commit.
@ignromanov ignromanov merged commit 073bd84 into main Jun 4, 2026
7 checks passed
@ignromanov ignromanov deleted the 056-phase3-a4-release-yml branch June 4, 2026 03:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ignromanov