From e7e0008986a498fa85fb2ce964914cf5a0e8b507 Mon Sep 17 00:00:00 2001
From: ProxyMesh AI <ai@proxymesh.com>
Date: Mon, 6 Apr 2026 17:46:47 +0000
Subject: [PATCH] ci(publish): activate npm via Corepack for OIDC provenance

Global npm install -g failed on Node 22.22.x (MODULE_NOT_FOUND: promise-retry in
@npmcli/arborist). Use corepack prepare instead of upgrading through the broken
bundled npm. Drop check-latest on setup-node to match integration tests and
avoid bleeding-edge toolchains.

Made-with: Cursor
---
 .github/workflows/publish.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 94bd743..a1757c3 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -51,12 +51,17 @@ jobs:
         uses: actions/setup-node@v6
         with:
           node-version: 22
-          check-latest: true
           cache: npm
 
+      # Corepack avoids `npm install -g npm` when the bundled global npm is broken (e.g. missing promise-retry).
       - name: Upgrade npm for trusted publishing (OIDC)
         if: steps.gate.outputs.publish == 'true'
-        run: npm install -g npm@">=11.5.1"
+        env:
+          COREPACK_ENABLE_DOWNLOAD_PROMPT: 0
+        run: |
+          corepack enable
+          corepack prepare npm@11.5.1 --activate
+          npm --version
 
       - name: Ensure versions match
         if: steps.gate.outputs.publish == 'true'