From e81512f0a7eb6b90e88ccc6fd158a827809a82db Mon Sep 17 00:00:00 2001
From: Stefano Mioli <s@mioli.me>
Date: Mon, 4 May 2026 23:46:01 +0200
Subject: [PATCH] ci: install npm@latest in publish jobs for OIDC Trusted
 Publishing

Node 22 ships with npm 10.x; npm Trusted Publishing's OIDC
auto-detection lives in npm 11.5.1+. Without it, `npm publish`
falls back to the actions/setup-node placeholder auth in
~/.npmrc and gets 404'd by the registry on upload (npm's
opaque way of saying "no auth").

Bump npm to latest right before publish in both release jobs.
Cheap (one network install) and keeps the rest of the pipeline
on the runner's stable Node 22 toolchain.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f10e2d1..5a6c152 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -59,6 +59,12 @@ jobs:
       - run: pnpm install --frozen-lockfile
       - run: pnpm run build
 
+      # Trusted Publishing OIDC auto-detection landed in npm 11.5.1; the
+      # bundled npm with Node 22 (10.x) is too old, falls back to the
+      # registry-url placeholder auth, and gets 404'd on upload.
+      - name: Ensure npm supports OIDC publishing
+        run: npm install -g npm@latest
+
       - name: Derive npm dist-tag from git tag
         id: meta
         run: |
@@ -162,5 +168,9 @@ jobs:
 
       - run: pnpm run build
 
+      # See note in release-tag: npm@10 (Node 22 default) can't use OIDC.
+      - name: Ensure npm supports OIDC publishing
+        run: npm install -g npm@latest
+
       - name: Publish to npm
         run: npm publish --tag nightly --access public --provenance