From 7361e4db30e3d80a5e665554f1ba54ba91ec32f6 Mon Sep 17 00:00:00 2001
From: Zach Hawtof <zhawtof@gmail.com>
Date: Wed, 20 May 2026 03:14:16 -0400
Subject: [PATCH] fix(ci): publish via npx and tag prereleases explicitly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two issues showed up running the trusted-publisher publish step:

- `npm install -g npm@latest` races against the running bundled npm
  ("Cannot find module 'promise-retry'") because npm tries to overwrite
  its own files mid-install. Run the modern CLI via `npx` from its
  separate cache instead — no self-overwrite, same OIDC behavior.
- npm 11+ refuses to publish a prerelease without `--tag`:
  "You must specify a tag using --tag when publishing a prerelease
  version." Derive the tag from the version's prerelease identifier
  so future prereleases (e.g. `-alpha.N`) land on the matching tag
  rather than getting bounced. Stable versions still publish to
  `latest` (default).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release-please.yml | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 2867cf5..65d71e8 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -41,11 +41,19 @@ jobs:
       - run: pnpm run build:clean
         if: ${{ steps.release.outputs.releases_created }}
 
-      # Trusted Publisher (OIDC) needs npm CLI >= 11.5.1; Node 22 ships with
-      # npm 10.x, and pnpm <11.0.7 does not perform the OIDC exchange. So we
-      # publish with npm from the upgraded CLI instead of `pnpm publish`.
-      - run: npm install -g npm@latest
-        if: ${{ steps.release.outputs.releases_created }}
-
-      - run: npm publish --provenance --access public
+      # Trusted Publisher (OIDC) needs npm CLI >= 11.5.1; Node 22 ships
+      # with npm 10.x. Run the modern CLI via `npx` from its separate
+      # cache instead of `npm install -g npm@latest`, which races against
+      # the running npm mid-install ("Cannot find module 'promise-retry'").
+      # npm 11+ also requires an explicit --tag for prereleases.
+      - name: Publish to npm
         if: ${{ steps.release.outputs.releases_created }}
+        run: |
+          version=$(node -p "require('./package.json').version")
+          if [[ "$version" == *-* ]]; then
+            tag="${version#*-}"
+            tag="${tag%%.*}"
+            npx -y npm@latest publish --provenance --access public --tag "$tag"
+          else
+            npx -y npm@latest publish --provenance --access public
+          fi