From 8ebd4732e57eb3c7921634a46b24d372e7f0ed86 Mon Sep 17 00:00:00 2001
From: Steven Sacks <stevensacks@gmail.com>
Date: Mon, 27 Apr 2026 22:57:29 +0900
Subject: [PATCH] ci: upgrade npm to >=11.5.1 for Trusted Publishing OIDC
 exchange

Node 22 ships npm 10.x. npm 10 signs provenance attestations but does
not exchange the GitHub OIDC token for a short-lived publish token,
so PUTs to the registry go without auth and return 404 even when a
trusted publisher is correctly configured. npm 11.5.1+ does the
exchange. Installing npm@latest before the publish step unblocks it.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4a878da..6280d3e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,6 +31,9 @@ jobs:
           cache: pnpm
           registry-url: https://registry.npmjs.org
 
+      - name: Upgrade npm to a Trusted-Publishing-capable version (>=11.5.1)
+        run: npm install -g npm@latest
+
       - run: pnpm install --frozen-lockfile
 
       - run: pnpm typecheck