fix(CI): upgrade @semantic-release/npm to 13.x for OIDC trusted publishing#148
Merged
emmclaughlin merged 2 commits intomainfrom Apr 30, 2026
Merged
Conversation
…shing @semantic-release/npm only learned how to perform the OIDC token exchange with the npm registry in v13.1.0. semantic-release@24 still pins it to ^12.0.2, which falls back to looking for an NPM_TOKEN even when a Trusted Publisher is configured on npm and the workflow grants id-token: write. That is why the publish step keeps failing with ENONPMTOKEN despite the trusted publisher being set up correctly. - Add @semantic-release/npm@^13.1.5 and @semantic-release/github@^12.0.6 as direct devDependencies. - Pin both via yarn 'resolutions' so the copies nested inside semantic-release@24 are also overridden (otherwise the v12 copy is the one actually loaded at release time). - @semantic-release/github bump also picks up the fix for the 'Variable $owner of type String!' GraphQL error from the failure reporter that was masking publish errors in run logs.
@semantic-release/npm@13.x and @semantic-release/github@12.x both declare engines.node ^22.14.0 || >= 24.10.0, so 'yarn install' fails on Node 20 with 'incompatible with this module'. Drop Node 20 from the PR matrix and bump the release workflow to Node 22. The runtime package itself has no engines field and its peer deps still allow React 16+, so consumers are unaffected; only the dev/CI tooling now requires Node 22+.
awaterston01
approved these changes
Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrade
@semantic-release/npmfrom the v12 line (transitively pinned bysemantic-release@24) to^13.1.5, and@semantic-release/githubto^12.0.6. Both are added as direct devDependencies and pinned via yarnresolutionsso the copies nested insidesemantic-releaseget overridden too. Bump CI/CD workflows to Node 22 to match the new engine requirement.Why This Change Is Needed
The NPM Trusted Publisher for
@faire/mjml-reactis configured correctly (Faire/mjml-react, workflow filenameCD_release_npm.yml, no environment), and the workflow already hasid-token: writeand an npm CLI new enough to do the OIDC handshake. Despite all of that, every release run still fails with:(see run 22227142052)
The reason is that OIDC trusted-publishing support — the bit that performs the GitHub OIDC → npm token exchange and skips the
NPM_TOKENrequirement — was only added to@semantic-release/npmin v13.1.0.semantic-release@24declares@semantic-release/npm: ^12.0.2, so yarn was installing v12.0.2 nested undernode_modules/semantic-release/, and that's the copy actually loaded at release time. v12 doesn't know about OIDC, so it falls straight through to the legacyset-npmrc-auth.jspath that requiresNPM_TOKEN.Just adding v13 as a top-level devDependency isn't enough because the nested v12 inside
semantic-release@24still wins. Yarnresolutionsare required to dedupe to a single v13.1.5 copy, which is what semantic-release will then load. After this change,find node_modules -path '*@semantic-release/npm/package.json'returns only13.1.5(no nested v12 left).@semantic-release/githubis bumped to^12.0.6while we're here. The previous (v11.x) version was also throwingVariable $owner of type String! was provided invalid valuefrom its GraphQL "fail" reporter when a publish failed, which obscured the underlying error in the action logs. v12.x fixes that.Node 22 bump
@semantic-release/npm@13.xand@semantic-release/github@12.xboth declareengines.node: ^22.14.0 || >= 24.10.0. The first PR push failed CI witherror @semantic-release/npm@13.1.5: The engine "node" is incompatible with this module. Got "20.20.2". Two corresponding workflow updates:.github/workflows/CD_release_npm.yml: bump from Node20.17.0to Node22so semantic-release can install and run..github/workflows/CI_PR_merge_checks.yml: drop20.xfrom the matrix and keep22.xonly.The runtime package itself has no
enginesfield and its peer deps still allow React 16+, so consumers' Node version requirements are unchanged. Only the dev/CI tooling now requires Node 22+.Verification
yarn installproduces a single resolved version of each plugin (@semantic-release/npm@13.1.5,@semantic-release/github@12.0.6); no nested duplicates remain.yarn build-dist,yarn test,yarn lint, andyarn prettier --check .all pass on Node 22 locally.mainand a conventional-commitfix:/feat:push triggers semantic-release. Expected log line on success:[@semantic-release/npm] › ℹ Publishing with provenance.Related
@semantic-release/npmv13.1.0 release notes (introduces OIDC token exchange).