diff --git a/.github/workflows/javascript-npm-packages.yml b/.github/workflows/javascript-npm-packages.yml index fa94d11..c5829e4 100644 --- a/.github/workflows/javascript-npm-packages.yml +++ b/.github/workflows/javascript-npm-packages.yml @@ -67,32 +67,22 @@ jobs: - id: changelog uses: coroboros/ci/.github/actions/release/generate-changelog@v0 - - name: pnpm publish + - name: Publish shell: bash - env: - PNPM_BOOTSTRAP_VERSION: "10.33.0" - PNPM_BOOTSTRAP_SHA256: "8d4e8f7d778e8ac482022e2577011706a872542f6f6f233e795a4d9f978ea8b5" run: | if [ -n "${NPM_PACKAGE_REGISTRY_TOKEN}" ]; then - echo "Publishing with NPM_PACKAGE_REGISTRY_TOKEN auth via pinned pnpm ${PNPM_BOOTSTRAP_VERSION}" - # pnpm >= 11.1.3 in CI auto-attempts OIDC and does not fall back - # to the .npmrc token after OIDC fails. Corepack intercepts every - # `pnpm` invocation (including `npx pnpm@`), so a side - # version cannot be injected through PATH. Fetch the pnpm - # ${PNPM_BOOTSTRAP_VERSION} standalone binary, verify its SHA-256, - # and execute it directly — bypasses corepack entirely. The - # consumer package's own `packageManager` pin is unchanged. - # Full rationale: CHANGELOG v0.1.8. - pnpm_bin="${RUNNER_TEMP}/pnpm-${PNPM_BOOTSTRAP_VERSION}" - curl -fsSL "https://github.com/pnpm/pnpm/releases/download/v${PNPM_BOOTSTRAP_VERSION}/pnpm-linux-x64" -o "${pnpm_bin}" - echo "${PNPM_BOOTSTRAP_SHA256} ${pnpm_bin}" | sha256sum -c - - chmod +x "${pnpm_bin}" - # Disable pnpm's package-manager self-switch: when the standalone - # 10.33.0 binary reads `packageManager: pnpm@11.x` from - # package.json it tries `pnpm add @pnpm/exe@11.x` which fails - # against the single-file standalone (no `/snapshot/dist/pnpm.cjs`). - "${pnpm_bin}" --config.manage-package-manager-versions=false --version - "${pnpm_bin}" --config.manage-package-manager-versions=false publish --no-git-checks + echo "Publishing with NPM_PACKAGE_REGISTRY_TOKEN auth via npm CLI" + # The pre-Trusted-Publisher bootstrap path can't reliably use + # pnpm 11.x (auto-OIDC, no fallback to .npmrc token) or pnpm + # 10.33.0 (corepack intercepts every `pnpm`; the standalone + # binary self-switches on a `packageManager: pnpm@11.x` pin). + # npm CLI is not managed by corepack and does not auto-attempt + # OIDC — it reads `_authToken` from `.npmrc` directly and PUTs. + # The publish artifact is identical to pnpm publish (same + # `files`, same `prepublishOnly`). Full rationale: CHANGELOG + # v0.1.10. + npm --version + npm publish else echo "Publishing with OIDC Trusted Publisher + provenance" pnpm publish --provenance --no-git-checks diff --git a/CHANGELOG.md b/CHANGELOG.md index d5a073f..c8c7b8a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## v0.1.10 - 20/05/2026 + +### Fixes +- `javascript-npm-packages` — use `npm publish` for the token bootstrap path. v0.1.5 → v0.1.9 chased pnpm-side workarounds (env vars, configs, npx version pin, standalone binary download with SHA verify, `manage-package-manager-versions=false`) and each one hit a different pnpm 10/11 dead-end: pnpm 11 auto-attempts OIDC without `.npmrc` fallback; pnpm 10.33.0 via `npx` is intercepted by corepack; the standalone 10.33.0 binary self-switches on `packageManager: pnpm@11.x` and crashes against its own snapshot. `npm publish` is not managed by corepack, does not auto-attempt OIDC, reads `_authToken` from `.npmrc` directly, and produces an identical tarball (same `files`, same `prepublishOnly`). The OIDC branch (`pnpm publish --provenance --no-git-checks`) is unchanged — pnpm OIDC works once a Trusted Publisher is bound; only the pre-Trusted-Publisher bootstrap takes the npm CLI path. Revert to a single `pnpm publish` once pnpm 11.x's bootstrap-via-token regression is upstream-fixed. + ## v0.1.9 - 20/05/2026 ### Fixes diff --git a/package.json b/package.json index 8d6d26c..19ba5a7 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@coroboros/ci", - "version": "0.1.9", + "version": "0.1.10", "private": true, "description": "Reusable GitHub Actions CI for the Coroboros stack.", "license": "SEE LICENSE IN LICENSE.md",