Skip to content

fix(ci): upgrade npm in release workflows (trusted publishing needs >= 11.5.1)#51

Merged
johnxie merged 1 commit into
mainfrom
fix/npm-trusted-publishing-cli
Jun 9, 2026
Merged

fix(ci): upgrade npm in release workflows (trusted publishing needs >= 11.5.1)#51
johnxie merged 1 commit into
mainfrom
fix/npm-trusted-publishing-cli

Conversation

@johnxie

@johnxie johnxie commented Jun 9, 2026

Copy link
Copy Markdown
Member

Diagnosis (from release run 27230619415 + force-release 27230718079)

Both publish paths fail with npm error 404 Not Found - PUT after provenance signing succeeds — npm's symptom for an unauthenticated publish. Two stacked causes:

  1. npm too old: trusted publishing requires npm ≥ 11.5.1; Node 22 bundles npm 10.x, which signs provenance but can't do the token exchange. → fixed here (npm install -g npm@latest in both workflows).
  2. npmjs.com-side trusted publisher likely not configured for @taskade/mcp-server / @taskade/mcp-openapi-codegen → requires a package owner in the npm web UI (Settings → Publishing access → add GitHub Actions publisher: org taskade, repo mcp, workflow release.yml).

Evidence that CI publishing never worked: every force-release.yml run in history is a failure (incl. May 19) — 0.0.3 appears to have been published manually.

Zero-regression

  • Additive step; YAML validates; no change to the changesets flow.
  • Once npmjs.com config exists, the next push to main publishes 0.0.4 automatically; force-release stays as manual fallback.

@johnxie
fix(ci): upgrade npm for OIDC trusted publishing (needs >= 11.5.1)
4d21fbc 
Node 22 bundles npm 10.x, which signs provenance but cannot perform the
trusted-publishing token exchange — every CI publish has failed with npm's
E404-on-PUT (force-release.yml has never had a successful run; 0.0.3 was
evidently published manually). Add 'npm install -g npm@latest' to both
release workflows before publishing.

Note: npmjs.com-side trusted-publisher config (package Settings → Publishing
access → GitHub Actions: taskade/mcp + workflow file) must also exist for
both packages — that part is a web-UI action for a package owner.
@johnxie johnxie requested a review from Copilot June 9, 2026 19:35
@changeset-bot

changeset-bot Bot commented Jun 9, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 4d21fbc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@johnxie johnxie merged commit 9b6a8b6 into main Jun 9, 2026
1 check passed
@johnxie johnxie deleted the fix/npm-trusted-publishing-cli branch June 9, 2026 19:35
Copilot AI reviewed Jun 9, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the GitHub Actions release workflows to ensure npm is new enough to support npm OIDC trusted publishing (token exchange), addressing publish failures that occur after provenance signing.

Changes:

  • Add a step in release.yml to upgrade npm before installing dependencies and publishing.
  • Add the same npm-upgrade step in force-release.yml to keep the manual release path consistent.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/release.yml Adds an npm upgrade step to meet trusted publishing’s minimum npm version requirement before running the Changesets publish flow.
.github/workflows/force-release.yml Adds the same npm upgrade step for the workflow_dispatch “force release” publish path.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/release.yml
Comment on lines +33 to +35
- name: Upgrade npm for trusted publishing
run: npm install -g npm@latest && npm --version

Comment thread .github/workflows/force-release.yml
Comment on lines +25 to +27
- name: Upgrade npm for trusted publishing
run: npm install -g npm@latest && npm --version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johnxie