From 10afb2147edb28a60aaaea93a2b7e5a131f96a00 Mon Sep 17 00:00:00 2001 From: Claude Perrin Date: Wed, 8 Jul 2026 14:16:12 +0700 Subject: [PATCH 1/2] ci(release): run publish on Node 24 (bundled npm 11.16, OIDC-ready) Node 24 ships npm >= 11.5.1 natively, so trusted publishing works without a global 'npm install -g npm@X' step. Drops that unpinned install (Scorecard Pinned-Dependencies) and the version to maintain; the build/test job stays on Node 22. Signed-off-by: Claude Perrin --- .github/workflows/release.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2b4ac05..1d4d873 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,10 +52,12 @@ jobs: - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6.0.0 - - name: Setup Node 22 + - name: Setup Node 24 uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node-version: "22" + # Node 24 ships npm >= 11.5.1, which supports OIDC trusted + # publishing out of the box (no global npm install needed). + node-version: "24" cache: "npm" # No registry-url: setup-node would write an npm auth line # reading NODE_AUTH_TOKEN, which (left empty) makes npm take @@ -245,8 +247,5 @@ jobs: # Trusted publishing: npm mints short-lived credentials from the # workflow's OIDC identity (registered on npmjs.com for this repo + # workflow file). No NPM_TOKEN secret; provenance stays on. - - name: Pin npm 11.18.0 (trusted publishing needs >= 11.5.1) - run: npm install -g npm@11.18.0 - - name: Publish to npm run: npm publish --access public --provenance --ignore-scripts From 532d0ddd764640462560b97d05e43d682d2443c4 Mon Sep 17 00:00:00 2001 From: Claude Perrin Date: Wed, 8 Jul 2026 14:27:41 +0700 Subject: [PATCH 2/2] ci(release): drop npm cache from the publish job Address CodeRabbit: keep the trusted-publishing job's setup-node minimal (no package-manager cache). Signed-off-by: Claude Perrin --- .github/workflows/release.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1d4d873..ea5a05a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -58,7 +58,8 @@ jobs: # Node 24 ships npm >= 11.5.1, which supports OIDC trusted # publishing out of the box (no global npm install needed). node-version: "24" - cache: "npm" + # No npm cache here: keep the publish job's environment minimal + # for OIDC trusted publishing (per CodeRabbit review). # No registry-url: setup-node would write an npm auth line # reading NODE_AUTH_TOKEN, which (left empty) makes npm take # the classic-auth path instead of the OIDC exchange.