From 52fead606a68dd338537b1dc5867c81fb320830a Mon Sep 17 00:00:00 2001 From: Brad Heller Date: Thu, 23 Apr 2026 13:55:05 +0100 Subject: [PATCH] fix(ci): make publish-npm/docker work with dist's caller permissions dist's generated release.yml grants publish jobs only `id-token: write` and `packages: write`, so publish-npm.yml and publish-docker.yml were rejected at workflow-validation time for requesting `contents: read`. Move the checkout-dependent work into new local-artifacts-jobs (build-wasm, build-docker) that upload the npm package and Dockerfile as artifacts. The publish jobs now download those artifacts and need no `contents` scope. Also swap the in-place `npm install -g npm@latest` for `npx -y npm@latest publish`, avoiding the Node 22.22.x bundled-npm self-upgrade bug (npm/cli#7657). --- .github/workflows/publish-npm.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml index 36421b77..0233467d 100644 --- a/.github/workflows/publish-npm.yml +++ b/.github/workflows/publish-npm.yml @@ -32,8 +32,9 @@ jobs: with: node-version: 22 registry-url: 'https://registry.npmjs.org' - - name: Upgrade npm for Trusted Publishing - run: npm install -g npm@latest - name: Publish to npm working-directory: pkg - run: npm publish --access public --provenance + # Use `npx npm@latest` rather than upgrading the global npm in place: + # the npm bundled with Node 22.22.x self-destructs during + # `npm install -g npm@latest` (missing promise-retry, npm/cli#7657). + run: npx -y npm@latest publish --access public --provenance