From 5b907df4e1e18f38a62c808f1b6d633e03f137a1 Mon Sep 17 00:00:00 2001
From: Kurt Overmier <kurt@stackbilt.dev>
Date: Sat, 18 Apr 2026 06:44:51 -0500
Subject: [PATCH] ci(release): upgrade npm to 11+ for trusted-publisher OIDC
 auth
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The prior fix (#120) removed token plumbing expecting npm's
`--provenance` flag to drive OIDC-based publish auth. It doesn't —
`--provenance` only signs attestations via OIDC. Publish auth via
OIDC for trusted publishers requires **npm 11.5.1+**, which is
newer than what setup-node bundles with Node 20 (currently ~10.x).

Result: v0.12.0 publish returned ENEEDAUTH — the CLI had no token
(correct end state) but didn't know how to use OIDC for auth.

Fix: install npm@latest globally before the publish step. 11.12.1
as of 2026-04-18 has first-class trusted-publisher OIDC auth.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 33f0d39..94df503 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -115,6 +115,11 @@ jobs:
           node-version: '20'
           cache: 'pnpm'
 
+      # npm 11.5.1+ required for trusted-publisher OIDC auth on publish.
+      # The version bundled with Node 20 on setup-node is ~10.x.
+      - name: Upgrade npm for trusted-publisher support
+        run: npm install -g npm@latest
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile