From 770aae9066b5d0e5aaae63617ef1ade2125c21c1 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 12 Jun 2026 17:00:54 +0000 Subject: [PATCH] ci: publish release with pnpm instead of npm MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses review feedback on #140 to use pnpm (per AGENTS.md) for the release publish step, while keeping OIDC trusted publishing and provenance. - Replace `npm publish --provenance` with `pnpm publish --provenance --no-git-checks` (--no-git-checks because the release runs from a detached tag checkout) - Drop the `npm install -g npm@latest` step; pnpm 11.6.0 (already pinned via packageManager) performs the OIDC token exchange for trusted publishing - Remove `registry-url` from setup-node so it no longer writes `_authToken=${NODE_AUTH_TOKEN}` to .npmrc — the placeholder that broke pnpm-11 OIDC publishing (pnpm/pnpm#11513) https://claude.ai/code/session_016qHimevBQJsTHzBxV7B2od --- .github/workflows/release.yaml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 3805237..80186ed 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -33,7 +33,6 @@ jobs: with: node-version: 22 cache: 'pnpm' - registry-url: 'https://registry.npmjs.org' - name: Install Dependencies run: pnpm install @@ -44,12 +43,9 @@ jobs: - name: Testing run: pnpm test - # Trusted publishing (OIDC) requires npm CLI >= 11.5.1, which is newer than - # the version bundled with Node.js 22. - - name: Update npm - run: npm install -g npm@latest - - name: Publish - # No NPM_TOKEN: authentication is handled via OIDC trusted publishing. - # Provenance attestations are generated from the OIDC identity. - run: npm publish --provenance --ignore-scripts + # No NPM_TOKEN: pnpm authenticates via OIDC trusted publishing and + # generates provenance attestations from the OIDC identity. + # --no-git-checks is required because the release runs from a detached + # tag checkout rather than a branch. + run: pnpm publish --provenance --no-git-checks --ignore-scripts