Skip to content

ci(cli-auth): publish via npx npm@11 instead of global self-upgrade#26

Merged
xiaoyijun merged 1 commit into
masterfrom
xiaoyijun-cli-auth-fix-publish-npm
Apr 22, 2026
Merged

ci(cli-auth): publish via npx npm@11 instead of global self-upgrade#26
xiaoyijun merged 1 commit into
masterfrom
xiaoyijun-cli-auth-fix-publish-npm

Conversation

@xiaoyijun
Copy link
Copy Markdown
Collaborator

@xiaoyijun xiaoyijun commented Apr 22, 2026
edited
Loading

Summary

First run of the Publish workflow (triggered by pushing tag v0.1.0-beta.0) failed at the npm install -g npm@latest step with:

npm error code MODULE_NOT_FOUND
npm error Cannot find module 'promise-retry'

This is a known self-upgrade breakage: when npm install -g npm@latest runs with the runner-bundled npm, the new version partially replaces files from the old install and leaves the global npm in a broken intermediate state before the next command runs.

Instead of fighting the self-upgrade, run publish against a clean pinned npm via npx:

- name: Publish to npm
  working-directory: packages/cli-auth
  run: |
    VERSION=$(node -p "require('./package.json').version")
    if [[ "$VERSION" == *-* ]]; then
      npx --yes npm@11 publish --tag beta --provenance
    else
      npx --yes npm@11 publish --provenance
    fi

npm@11 satisfies the >= 11.5.1 floor we need for Trusted Publisher + --provenance. The --yes flag skips the npx install prompt. The old Ensure npm >= 11.5.1 step is removed.

Re-triggering the release after merge

Tag v0.1.0-beta.0 has already been pushed, but it points at the broken workflow commit. After this PR merges:

# Delete the old tag locally and on remote
git tag -d v0.1.0-beta.0
git push origin :refs/tags/v0.1.0-beta.0

# Sync master with the fix, then re-tag at the new HEAD
git checkout master && git pull
git tag v0.1.0-beta.0
git push origin v0.1.0-beta.0

(Alternatively, leave the tag where it is and use workflow_dispatch from the Actions tab — it will check out current master, which has the fix. Re-tagging is cleaner for keeping provenance history tied to the right commit.)

Testing

Ran npx --yes npm@11 publish --dry-run --tag beta locally inside packages/cli-auth:

  • Tarball: cli-auth-0.1.0-beta.0.tgz, 33 files, 42.0 kB packed / 158.5 kB unpacked.
  • Includes dist/, README.md, LICENSE, package.json.
  • Output confirms: Publishing to https://registry.npmjs.org/ with tag beta and default access.

Non-blocking warning worth noting (not fixed here to keep this PR tight): npm normalized repository.url from https://… to git+https://…. Worth a follow-up npm pkg fix commit, but it does not affect publishing.

@xiaoyijun
ci(cli-auth): publish via npx npm@11 instead of global self-upgrade
e6c6fb9 
The 'npm install -g npm@latest' step on ubuntu-latest started failing with
'Cannot find module promise-retry' because npm's self-upgrade leaves the
install in a broken intermediate state. Switch to 'npx --yes npm@11 publish'
so the publish runs against a clean pinned npm without touching the runner's
global install. npm 11.x still satisfies the Trusted Publisher / --provenance
requirements.
@xiaoyijun xiaoyijun requested a review from a team April 22, 2026 02:18
@xiaoyijun xiaoyijun merged commit 95a666f into master Apr 22, 2026
3 checks passed
@xiaoyijun xiaoyijun deleted the xiaoyijun-cli-auth-fix-publish-npm branch April 22, 2026 02:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xiaoyijun