From 92e48e3703e86a235068bb45a76e45471c94034a Mon Sep 17 00:00:00 2001
From: Stefano Mioli <s@mioli.me>
Date: Tue, 5 May 2026 00:03:50 +0200
Subject: [PATCH] ci: run npm publish via npx-pinned npm@latest for OIDC

Replaces the failed-self-upgrade path. `npm install -g npm@latest`
under npm 10 corrupts mid-overwrite (npm 11 dropped promise-retry,
which the in-flight rebuild step still requires) and exits with
MODULE_NOT_FOUND. Trusted Publishing needs npm 11.5.1+ for OIDC
auto-detection.

`npx --package=npm@latest -- npm publish ...` runs an isolated
npm 11 from the npx cache without mutating the system npm. OIDC
token env vars (ACTIONS_ID_TOKEN_REQUEST_URL/_TOKEN) are inherited,
so provenance + Trusted Publishing both work.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5a6c152..4185eb9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -59,12 +59,6 @@ jobs:
       - run: pnpm install --frozen-lockfile
       - run: pnpm run build
 
-      # Trusted Publishing OIDC auto-detection landed in npm 11.5.1; the
-      # bundled npm with Node 22 (10.x) is too old, falls back to the
-      # registry-url placeholder auth, and gets 404'd on upload.
-      - name: Ensure npm supports OIDC publishing
-        run: npm install -g npm@latest
-
       - name: Derive npm dist-tag from git tag
         id: meta
         run: |
@@ -86,8 +80,14 @@ jobs:
           } >> "$GITHUB_OUTPUT"
           echo "::notice::Publishing cli-bridge@$REF with dist-tag=$DIST_TAG (prerelease=$IS_PRERELEASE)"
 
-      - name: Publish to npm
-        run: npm publish --tag "${{ steps.meta.outputs.dist-tag }}" --access public --provenance
+      # Trusted Publishing OIDC auto-detection landed in npm 11.5.1; the
+      # bundled npm with Node 22 is 10.x and falls back to the registry-url
+      # placeholder auth, getting 404'd on upload. Self-upgrade via
+      # `npm install -g npm@latest` corrupts (npm 10 → 11 mid-overwrite),
+      # so we run a one-shot npm 11 from the npx cache instead. The OIDC
+      # env vars (ACTIONS_ID_TOKEN_REQUEST_*) are inherited automatically.
+      - name: Publish to npm (via npx-pinned npm@latest for OIDC)
+        run: npx --package=npm@latest -- npm publish --tag "${{ steps.meta.outputs.dist-tag }}" --access public --provenance
 
       - name: Generate CycloneDX SBOM
         # cyclonedx-npm uses `npm ls` under the hood, which reports spurious
@@ -168,9 +168,7 @@ jobs:
 
       - run: pnpm run build
 
-      # See note in release-tag: npm@10 (Node 22 default) can't use OIDC.
-      - name: Ensure npm supports OIDC publishing
-        run: npm install -g npm@latest
-
-      - name: Publish to npm
-        run: npm publish --tag nightly --access public --provenance
+      # See note in release-tag — bundled npm 10 can't use OIDC, self-upgrade
+      # is fragile, so a one-shot npm 11 via npx is the cleanest path.
+      - name: Publish to npm (via npx-pinned npm@latest for OIDC)
+        run: npx --package=npm@latest -- npm publish --tag nightly --access public --provenance