From 0a81287f4925ecff5d9e7fce4275857df53c5b54 Mon Sep 17 00:00:00 2001
From: Subin Lee <chandar.sblee@gmail.com>
Date: Thu, 16 Apr 2026 16:54:00 +0900
Subject: [PATCH] fix(ci): use Node 24 for npm Trusted Publishers OIDC support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

npm Trusted Publishers OIDC token exchange requires npm CLI 11.5.1+.
Node 18 ships npm 10.8.2 which lacks OIDC support, causing E404 on
publish despite provenance signing succeeding (Sigstore is separate).

Node 24 ships npm 11.x+ with native OIDC support. Only the publish
job is changed — test/lint jobs remain on Node 18 for SDK compatibility.

Also restore --provenance --access public flags per OIDC project
conventions (astral-sh/ruff, Effect-TS/effect).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 10104e1c..3ff9f68f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -249,7 +249,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
-          node-version: 18
+          node-version: 24
           registry-url: https://registry.npmjs.org
 
       - name: Install dependencies
@@ -261,7 +261,7 @@ jobs:
       - name: Publish
         env:
           NPM_TAG: ${{ github.ref_name == 'beta' && 'beta' || 'latest' }}
-        run: npm publish --tag "$NPM_TAG"
+        run: npm publish --provenance --access public --tag "$NPM_TAG"
 
       - name: Report publish failure
         if: failure()