From 832dd4ada141a131b544be81caa38fec1e5ae9f5 Mon Sep 17 00:00:00 2001
From: AgentSeal <hello@agentseal.org>
Date: Sat, 18 Apr 2026 09:33:52 -0700
Subject: [PATCH] fix(ci): upgrade npm to 11.5.1+ for OIDC trusted publishing

Node 22 ships with npm 10.x, which does not know how to exchange the
GitHub OIDC id-token for a short-lived npm token. Without this upgrade,
the publish step silently falls back to the empty NODE_AUTH_TOKEN that
setup-node writes to .npmrc, and the registry returns 404.

First test publish (v0.7.4-rc.0) failed at exactly this point, even
though provenance signing via sigstore succeeded, confirming the OIDC
handshake with GitHub was fine and only the npm-side auth was broken.

Fix: `npm install -g npm@latest` before the publish step. Adds ~5s to
runtime.
---
 .github/workflows/publish-npm.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
index 3f6bcbf..30db2dd 100644
--- a/.github/workflows/publish-npm.yml
+++ b/.github/workflows/publish-npm.yml
@@ -28,6 +28,13 @@ jobs:
           node-version: '22'
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Upgrade npm for trusted publishing
+        # Node 22 ships with npm 10.x; npm OIDC trusted publishing requires
+        # npm 11.5.1+. Without this, the publish step silently falls back
+        # to the empty NODE_AUTH_TOKEN written by setup-node and the
+        # registry returns 404.
+        run: npm install -g npm@latest
+
       - name: Verify tag matches package.json
         run: |
           TAG_VERSION="${GITHUB_REF#refs/tags/v}"