Skip to content

fix(ci): pin npm and make provenance explicit in npm publish#53

Merged
johnpmitsch merged 1 commit into
mainfrom
fix/npm-publish-sigstore
Jul 10, 2026
Merged

fix(ci): pin npm and make provenance explicit in npm publish#53
johnpmitsch merged 1 commit into
mainfrom
fix/npm-publish-sigstore

Conversation

@johnpmitsch

Copy link
Copy Markdown
Collaborator

Fixes the npm publish job crashing with Cannot find module 'sigstore' (MODULE_NOT_FOUND).

What was happening

The publish job tracked npm@latest, which pulled a release whose bundled sigstore module fails to load. With id-token: write set, npm auto-triggers provenance generation, hits the broken module, and crashes mid-publish.

Fix

  • Pin npm to 11.6.2 (working sigstore, supports trusted publishing) instead of chasing @latest.
  • Pass --provenance explicitly on both publish steps so behavior no longer depends on npm silently auto-detecting the OIDC token.

Provenance attestations are kept on.

The npm publish job crashed with 'Cannot find module sigstore'
(MODULE_NOT_FOUND) inside npm's provenance code path. It tracked
npm@latest, which grabbed a release whose bundled sigstore fails to
load. With id-token: write set, npm auto-triggers provenance and hits
the broken module.

Pin npm to 11.6.2 (working sigstore) and pass --provenance explicitly
so behavior no longer depends on npm auto-detecting the OIDC token.
@johnpmitsch johnpmitsch merged commit 49eb289 into main Jul 10, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants