fix(ci): bump pnpm to 10.34.5 for npm OIDC trusted publishing#42
Merged
Conversation
The Release job failed at `changeset publish` with:
EUNKNOWNCONFIG Unknown cli flag: --git-checks
Root cause: the workflow uses npm OIDC trusted publishing (no NPM_TOKEN),
which requires npm >=11.5.1 (CI installs it via `npm install -g npm@latest`).
changesets runs `pnpm publish --no-git-checks`, but pnpm 8.15.4 is not
OIDC-aware and leaks the pnpm-only `--no-git-checks` flag through to npm 11,
which rejects it — so every package fails to publish.
Move to pnpm 10.34.5, which supports npm OIDC trusted publishing natively
and handles `--no-git-checks` correctly (pnpm 11.x has an OIDC regression,
pnpm/pnpm#11513, so we stay on 10.x).
Follow-on changes required by the pnpm major bump:
- Regenerate pnpm-lock.yaml (lockfileVersion 6.0 -> 9.0).
- Add onlyBuiltDependencies (@parcel/watcher, esbuild) to pnpm-workspace.yaml:
pnpm >=10 blocks dependency build scripts by default; these native deps
need their postinstall for the build and file watcher.
- Pin vite ^7.1.12: the lockfile regen floated root vitest to 4.1.10, whose
vite peer wrongly resolved to 5.x and broke the test runner. Pinning vite 7
restores the vitest 4 + vite 7 pairing the old lockfile had.
Verified: pnpm build (8/8), typecheck (6/6), test (1819 passed), and
`pnpm install --frozen-lockfile` all pass under pnpm 10.34.5.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jul 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The Release job failed at
changeset publish:Both
@prosdevlab/dev-agent@0.13.0and@prosdevlab/kero@1.0.0failed to publish. The version bump was already committed — only the npm push failed.Root cause
The workflow uses npm OIDC trusted publishing (no
NPM_TOKEN), which requires npm >=11.5.1 — CI installs it vianpm install -g npm@latest.changeset publishrunspnpm publish --no-git-checks, but pnpm 8.15.4 is not OIDC-aware: its publish path delegates to thenpmbinary and leaks the pnpm-only--no-git-checksflag through to npm 11, which rejects it. Every package fails.Fix
packageManager->pnpm@10.34.5--no-git-checkscorrectly. Stays on 10.x — pnpm 11 has an OIDC regression (pnpm#11513).pnpm-lock.yaml(v6.0 -> 9.0)onlyBuiltDependencies: [@parcel/watcher, esbuild]inpnpm-workspace.yamlvite ^7.1.12(root devDep)vitestto 4.1.10, whosevitepeer wrongly resolved to 5.x and broke the test runner. The pin restores the vitest 4 + vite 7 pairing the old lockfile had. Load-bearing — removing it re-breakspnpm test.release.ymlneeds no change —pnpm/action-setup@v5reads thepackageManagerfield.Verification (all under pnpm 10.34.5)
pnpm build— 8/8pnpm typecheck— 6/6pnpm test— 1819 passed, 39 skippedpnpm install --frozen-lockfile— CI parityMerge gate
OIDC has no
NPM_TOKENfallback. Before merging, confirm a trusted publisher is configured on npmjs.com for BOTH published packages (@prosdevlab/dev-agentand@prosdevlab/kero), each pointing at this repo +release.yml. If either is missing, that package's publish fails at release time with no fallback.Optional follow-ups (not in this PR)
release.yml:npm install -g npm@^11.5.1instead of@latest, so a future npm major can't change OIDC/CLI behavior non-deterministically.🤖 Generated with Claude Code