Fix Release workflow by installing npm via tarball#255
Fix Release workflow by installing npm via tarball#255mishushakov wants to merge 2 commits intomainfrom
Conversation
The pre-installed npm 10.9.x on the Node 22 runner image ships with a broken @npmcli/arborist (missing promise-retry), which makes `npm install -g npm@11` crash during reify. Replace npm via a tarball extract so the Update npm step can succeed. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
PR SummaryLow Risk Overview Also removes the explicit Reviewed by Cursor Bugbot for commit 8565b0d. Bugbot is set up for automated code reviews on this repo. Configure here. |
Use npm 10.9.8 (first version with the @npmcli/arborist self-upgrade fix) as a tarball bootstrap so `npm install -g npm@^11.6` works via the normal path. Drop the now-redundant `NPM_TOKEN: ""` — changesets/ action v1.7.0+ only writes the auth token when NPM_TOKEN is defined. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 8565b0d. Configure here.
| createGithubReleases: true | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| NPM_TOKEN: "" # See https://github.com/changesets/changesets/issues/1152#issuecomment-3190884868 |
There was a problem hiding this comment.
Removed required NPM_TOKEN for OIDC trusted publishing
High Severity
The NPM_TOKEN: "" environment variable was removed from the "Release new versions" step. This empty-string value is required by changesets/action to signal that OIDC trusted publishing is being used instead of a traditional token. Without it, the action writes "undefined" into .npmrc, causing npm publish to fail. The PR description even references NPM_TOKEN: "" as essential for OIDC trusted publishing, so this removal appears accidental.
Reviewed by Cursor Bugbot for commit 8565b0d. Configure here.
1 participant
Summary
npm install -g npm@^11.6because the pre-installed npm 10.9.x on the Node 22 runner image ships with a broken@npmcli/arborist(missingpromise-retry), which crashes during reify.node_modules/npm, pinned to npm 11.9.0. npm 11+ is still required for OIDC trusted publishing (NPM_TOKEN: "").Test plan