From 18ec13b2db441f7fe9cdf631899b4ec20179b5b6 Mon Sep 17 00:00:00 2001
From: I4cDeath <publiclasstewart@gmail.com>
Date: Sat, 25 Apr 2026 11:48:34 +0900
Subject: [PATCH] fix(ci): bump publish workflow to Node 24 for npm 11.5+ OIDC
 support

Trusted publishing on npmjs.com requires npm >= 11.5.1
(https://docs.npmjs.com/trusted-publishers). Node 22 in setup-node@v4
ships npm 10.x, which is rejected by the registry with a misleading
E404 instead of the documented ENEEDAUTH. This silently blocked the
v0.10.1 publish even after the trusted publisher was correctly
configured on npmjs.com.

Switching the runner to Node 24 bundles a recent enough npm out of
the box, so we can keep the npm self-upgrade step removed (it was
crashing with `Cannot find module 'promise-retry'`).

CI-only change. No source / no version bump; v0.10.1 will be
re-published from the existing tag via workflow_dispatch.

Made-with: Cursor
---
 .github/workflows/publish.yml | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index be816db..1a24961 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -26,16 +26,21 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: "22"
+          # Node 24 bundles npm 11.5+, which is the minimum required for
+          # OIDC trusted publishing on npmjs.com. Node 22 ships npm 10.x,
+          # which silently fails with a misleading `E404 Not Found` when
+          # the registry rejects the OIDC token (this blocked the
+          # v0.10.1 publish even after the trusted publisher was
+          # configured). See:
+          # https://docs.npmjs.com/trusted-publishers
+          node-version: "24"
           registry-url: "https://registry.npmjs.org"
 
       # Intentionally NOT running `npm install -g npm@latest` here:
-      # on the Node 22 runner image it currently fails with
+      # on the runner image it has been observed to fail with
       # "Cannot find module 'promise-retry'" during npm's own
-      # self-upgrade (broke v0.9.9 and v0.10.0 publish runs). The
-      # bundled npm in setup-node@v4 is recent enough for `npm publish
-      # --provenance --access public`; pin a specific version here only
-      # if a future npm feature requires it.
+      # self-upgrade. Node 24's bundled npm is already >= 11.5.1, so
+      # no upgrade is needed for trusted publishing or provenance.
 
       - uses: pnpm/action-setup@v4
         with: