From 535ea0fd6f1b487d84aaf5bce2a4f008cf6e1695 Mon Sep 17 00:00:00 2001
From: Steven Sacks <stevensacks@gmail.com>
Date: Mon, 27 Apr 2026 23:07:50 +0900
Subject: [PATCH] ci: bump release workflow to Node 24 (ships npm 11+)

Drops the npm self-upgrade step. Node 22.22.2's bundled npm 10 has a
self-upgrade regression (Cannot find module 'promise-retry' during
arborist rebuild) that prevents installing a Trusted-Publishing-capable
npm at runtime, even with --force. Node 24 ships npm 11+ natively
which already has the OIDC token exchange path.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6280d3e..c768b1d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -27,13 +27,14 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 22
+          # Node 24 ships npm 11+, which has the OIDC token exchange
+          # required for npm Trusted Publishing. Node 22 ships npm 10
+          # and that bundled npm has a self-upgrade regression that
+          # prevents installing a newer npm at runtime.
+          node-version: 24
           cache: pnpm
           registry-url: https://registry.npmjs.org
 
-      - name: Upgrade npm to a Trusted-Publishing-capable version (>=11.5.1)
-        run: npm install -g npm@latest
-
       - run: pnpm install --frozen-lockfile
 
       - run: pnpm typecheck