From a4e2f1ec534d1d419ff3c0cbf124618a89d9b0e7 Mon Sep 17 00:00:00 2001 From: Mish Ushakov <10400064+mishushakov@users.noreply.github.com> Date: Mon, 20 Apr 2026 16:15:17 +0200 Subject: [PATCH 1/2] Fix Release workflow by installing npm via tarball The pre-installed npm 10.9.x on the Node 22 runner image ships with a broken @npmcli/arborist (missing promise-retry), which makes `npm install -g npm@11` crash during reify. Replace npm via a tarball extract so the Update npm step can succeed. Co-Authored-By: Claude Opus 4.7 --- .github/workflows/release.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4991041f..90522451 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -344,8 +344,16 @@ jobs: pnpm config set exclude-links-from-lockfile true - name: Update npm + # Workaround: the pre-installed npm on the Node 22 runner image ships + # with a broken @npmcli/arborist (missing promise-retry), so `npm + # install -g npm@11` fails during reify. Replace npm via tarball. + # npm 11+ is required for OIDC trusted publishing (NPM_TOKEN=""). run: | - npm install -g npm@^11.6 + NPM_VERSION="11.9.0" + NPM_DIR="$(dirname "$(dirname "$(which node)")")/lib/node_modules/npm" + sudo rm -rf "${NPM_DIR}" + sudo mkdir -p "${NPM_DIR}" + curl -fsSL "https://registry.npmjs.org/npm/-/npm-${NPM_VERSION}.tgz" | sudo tar -xz -C "${NPM_DIR}" --strip-components=1 npm --version - name: Install dependencies From 8565b0d70c305ed8dd79386cef1a2afbd6f3a421 Mon Sep 17 00:00:00 2001 From: Mish Ushakov <10400064+mishushakov@users.noreply.github.com> Date: Mon, 20 Apr 2026 16:34:42 +0200 Subject: [PATCH 2/2] Bootstrap npm via tarball, then upgrade to 11.x normally MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use npm 10.9.8 (first version with the @npmcli/arborist self-upgrade fix) as a tarball bootstrap so `npm install -g npm@^11.6` works via the normal path. Drop the now-redundant `NPM_TOKEN: ""` — changesets/ action v1.7.0+ only writes the auth token when NPM_TOKEN is defined. Co-Authored-By: Claude Opus 4.7 --- .github/workflows/release.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 90522451..f1c8393a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -344,16 +344,19 @@ jobs: pnpm config set exclude-links-from-lockfile true - name: Update npm - # Workaround: the pre-installed npm on the Node 22 runner image ships - # with a broken @npmcli/arborist (missing promise-retry), so `npm - # install -g npm@11` fails during reify. Replace npm via tarball. - # npm 11+ is required for OIDC trusted publishing (NPM_TOKEN=""). + # The Node 22 runner image ships npm 10.9.7, whose @npmcli/arborist + # lazy-loads promise-retry and crashes mid self-upgrade. npm 10.9.8 + # (arborist 8.0.5) fixed that by eagerly loading it. We tarball-install + # 10.9.8 as a bootstrap, then use normal `npm install -g` to reach + # npm 11+ which is required for OIDC trusted publishing. + # TODO: drop the tarball step once the runner image ships npm >= 10.9.8. run: | - NPM_VERSION="11.9.0" + NPM_BOOTSTRAP_VERSION="10.9.8" NPM_DIR="$(dirname "$(dirname "$(which node)")")/lib/node_modules/npm" sudo rm -rf "${NPM_DIR}" sudo mkdir -p "${NPM_DIR}" - curl -fsSL "https://registry.npmjs.org/npm/-/npm-${NPM_VERSION}.tgz" | sudo tar -xz -C "${NPM_DIR}" --strip-components=1 + curl -fsSL "https://registry.npmjs.org/npm/-/npm-${NPM_BOOTSTRAP_VERSION}.tgz" | sudo tar -xz -C "${NPM_DIR}" --strip-components=1 + npm install -g npm@^11.6 npm --version - name: Install dependencies @@ -371,7 +374,6 @@ jobs: createGithubReleases: true env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: "" # See https://github.com/changesets/changesets/issues/1152#issuecomment-3190884868 PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} - name: Update lock file