fix: remove npm upgrade step, rely on pre-installed npm#53
Closed
fix: remove npm upgrade step, rely on pre-installed npm#53
Conversation
npm@latest started shipping a broken install (missing promise-retry) causing the release job to fail before any actual work happens. The runner already ships with a recent enough npm for OIDC publishing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Without NPM_CONFIG_PROVENANCE=true, npm doesn't attempt OIDC auth and immediately fails with ENEEDAUTH. The job already has id-token: write so the OIDC exchange will work once provenance is enabled. Note: the trusted publisher config on npmjs.com also needs to be updated from piotrski/agent-react-devtools to callstackincubator/agent-react-devtools to match the repo move. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds registry-url to setup-node so .npmrc is configured, passes NPM_TOKEN to changesets/action for actual releases, and sets NODE_AUTH_TOKEN for the canary snapshot step. The secret was lost when the repo transferred to callstackincubator. Add NPM_TOKEN as a repository secret to restore publishing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
npm@latest broke with a missing promise-retry dependency, so we removed the upgrade step. But that downgraded to the runner's npm 10.9.7 which doesn't support OIDC trusted publishing (requires >= 11.5.1). Pinning to npm@11 gets a stable 11.x release without the breakage. Reverts the NPM_TOKEN workaround — OIDC is the correct approach here. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Switches from the default changelog generator to @changesets/changelog-github, which adds contributor names and PR links to each changelog entry automatically.
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
actions/setup-nodeshould support OIDC provenance publishingNPM_CONFIG_PROVENANCE: trueon both the release and canary steps (added in the previous commit on main)Test plan