Bootstrap npm via tarball, then upgrade to 11.x normally

mishushakov · claude · mishushakov · commit 8565b0d70c30 · 2026-04-20T16:34:42.000+02:00
Use npm 10.9.8 (first version with the @npmcli/arborist self-upgrade
fix) as a tarball bootstrap so `npm install -g npm@^11.6` works via
the normal path. Drop the now-redundant `NPM_TOKEN: ""` — changesets/
action v1.7.0+ only writes the auth token when NPM_TOKEN is defined.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -344,16 +344,19 @@ jobs:
           pnpm config set exclude-links-from-lockfile true
 
       - name: Update npm
-        # Workaround: the pre-installed npm on the Node 22 runner image ships
-        # with a broken @npmcli/arborist (missing promise-retry), so `npm
-        # install -g npm@11` fails during reify. Replace npm via tarball.
-        # npm 11+ is required for OIDC trusted publishing (NPM_TOKEN="").
+        # The Node 22 runner image ships npm 10.9.7, whose @npmcli/arborist
+        # lazy-loads promise-retry and crashes mid self-upgrade. npm 10.9.8
+        # (arborist 8.0.5) fixed that by eagerly loading it. We tarball-install
+        # 10.9.8 as a bootstrap, then use normal `npm install -g` to reach
+        # npm 11+ which is required for OIDC trusted publishing.
+        # TODO: drop the tarball step once the runner image ships npm >= 10.9.8.
         run: |
-          NPM_VERSION="11.9.0"
+          NPM_BOOTSTRAP_VERSION="10.9.8"
           NPM_DIR="$(dirname "$(dirname "$(which node)")")/lib/node_modules/npm"
           sudo rm -rf "${NPM_DIR}"
           sudo mkdir -p "${NPM_DIR}"
-          curl -fsSL "https://registry.npmjs.org/npm/-/npm-${NPM_VERSION}.tgz" | sudo tar -xz -C "${NPM_DIR}" --strip-components=1
+          curl -fsSL "https://registry.npmjs.org/npm/-/npm-${NPM_BOOTSTRAP_VERSION}.tgz" | sudo tar -xz -C "${NPM_DIR}" --strip-components=1
+          npm install -g npm@^11.6
           npm --version
 
       - name: Install dependencies
@@ -371,7 +374,6 @@ jobs:
           createGithubReleases: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: "" # See https://github.com/changesets/changesets/issues/1152#issuecomment-3190884868
           PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
 
       - name: Update lock file
