fix(javascript-npm-packages): use npm CLI for the token bootstrap publish

.github/workflows/javascript-npm-packages.yml

@@ -67,32 +67,22 @@ jobs:
       - id: changelog
         uses: coroboros/ci/.github/actions/release/generate-changelog@v0
 
-      - name: pnpm publish
+      - name: Publish
         shell: bash
-        env:
-          PNPM_BOOTSTRAP_VERSION: "10.33.0"
-          PNPM_BOOTSTRAP_SHA256: "8d4e8f7d778e8ac482022e2577011706a872542f6f6f233e795a4d9f978ea8b5"
         run: |
           if [ -n "${NPM_PACKAGE_REGISTRY_TOKEN}" ]; then
-            echo "Publishing with NPM_PACKAGE_REGISTRY_TOKEN auth via pinned pnpm ${PNPM_BOOTSTRAP_VERSION}"
-            # pnpm >= 11.1.3 in CI auto-attempts OIDC and does not fall back
-            # to the .npmrc token after OIDC fails. Corepack intercepts every
-            # `pnpm` invocation (including `npx pnpm@<other>`), so a side
-            # version cannot be injected through PATH. Fetch the pnpm
-            # ${PNPM_BOOTSTRAP_VERSION} standalone binary, verify its SHA-256,
-            # and execute it directly — bypasses corepack entirely. The
-            # consumer package's own `packageManager` pin is unchanged.
-            # Full rationale: CHANGELOG v0.1.8.
-            pnpm_bin="${RUNNER_TEMP}/pnpm-${PNPM_BOOTSTRAP_VERSION}"
-            curl -fsSL "https://github.com/pnpm/pnpm/releases/download/v${PNPM_BOOTSTRAP_VERSION}/pnpm-linux-x64" -o "${pnpm_bin}"
-            echo "${PNPM_BOOTSTRAP_SHA256}  ${pnpm_bin}" | sha256sum -c -
-            chmod +x "${pnpm_bin}"
-            # Disable pnpm's package-manager self-switch: when the standalone
-            # 10.33.0 binary reads `packageManager: pnpm@11.x` from
-            # package.json it tries `pnpm add @pnpm/exe@11.x` which fails
-            # against the single-file standalone (no `/snapshot/dist/pnpm.cjs`).
-            "${pnpm_bin}" --config.manage-package-manager-versions=false --version
-            "${pnpm_bin}" --config.manage-package-manager-versions=false publish --no-git-checks
+            echo "Publishing with NPM_PACKAGE_REGISTRY_TOKEN auth via npm CLI"
+            # The pre-Trusted-Publisher bootstrap path can't reliably use
+            # pnpm 11.x (auto-OIDC, no fallback to .npmrc token) or pnpm
+            # 10.33.0 (corepack intercepts every `pnpm`; the standalone
+            # binary self-switches on a `packageManager: pnpm@11.x` pin).
+            # npm CLI is not managed by corepack and does not auto-attempt
+            # OIDC — it reads `_authToken` from `.npmrc` directly and PUTs.
+            # The publish artifact is identical to pnpm publish (same
+            # `files`, same `prepublishOnly`). Full rationale: CHANGELOG
+            # v0.1.10.
+            npm --version
+            npm publish
           else
             echo "Publishing with OIDC Trusted Publisher + provenance"
             pnpm publish --provenance --no-git-checks

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## v0.1.10 - 20/05/2026
+
+### Fixes
+- `javascript-npm-packages` — use `npm publish` for the token bootstrap path. v0.1.5 → v0.1.9 chased pnpm-side workarounds (env vars, configs, npx version pin, standalone binary download with SHA verify, `manage-package-manager-versions=false`) and each one hit a different pnpm 10/11 dead-end: pnpm 11 auto-attempts OIDC without `.npmrc` fallback; pnpm 10.33.0 via `npx` is intercepted by corepack; the standalone 10.33.0 binary self-switches on `packageManager: pnpm@11.x` and crashes against its own snapshot. `npm publish` is not managed by corepack, does not auto-attempt OIDC, reads `_authToken` from `.npmrc` directly, and produces an identical tarball (same `files`, same `prepublishOnly`). The OIDC branch (`pnpm publish --provenance --no-git-checks`) is unchanged — pnpm OIDC works once a Trusted Publisher is bound; only the pre-Trusted-Publisher bootstrap takes the npm CLI path. Revert to a single `pnpm publish` once pnpm 11.x's bootstrap-via-token regression is upstream-fixed.
+
 ## v0.1.9 - 20/05/2026
 
 ### Fixes

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coroboros/ci",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "private": true,
   "description": "Reusable GitHub Actions CI for the Coroboros stack.",
   "license": "SEE LICENSE IN LICENSE.md",