fix(ci): bump CI Node.js to 24 to restore npm 11 trusted publishing#2414
Conversation
Node 22.22.x ships npm 10.9.7, which lacks the OIDC trusted-publishing support added in npm 11.5+. Without npm 11 the publish step silently falls back to bearer-token auth, and the registry returns HTTP 404 (its masked-403 response) - which is what blocked @finos/calm-cli@1.39.0 from publishing on 2026-05-02. The previous remediation in finos#2397 removed the broken `npm install -g npm@11` self-upgrade step on the assumption it was unnecessary. It is necessary - just unstable on Node 22 where the self-upgrade crashes with `Cannot find module 'promise-retry'`. Node 24 ships npm 11 in-the-box, fixing trusted publishing without resurrecting the brittle self-upgrade step. While here, normalize the mix of `v22`, `22`, `'22'`, and `['22.x']` forms across the 21 workflow files to a single `node-version: 24` (matrix entry kept as `['24.x']`). Root package.json already declares `^22.14.0 || >=24.10.0`, so no engines change is required.
There was a problem hiding this comment.
Pull request overview
Updates the repository’s GitHub Actions workflows to run on Node.js 24 instead of Node.js 22, primarily to restore npm Trusted Publishing (OIDC) behavior by ensuring a sufficiently new bundled npm is available during release/publish jobs.
Changes:
- Bumped
actions/setup-nodeinputs across CI workflows from Node 22 → Node 24. - Normalized the various Node version formats used in workflows (e.g.,
v22,'22',22.x) to a consistent Node 24 style (keeping matrices as24.xwhere used). - Updated the automated release workflows (CLI + CALM Server + CALM Studio) to use Node 24 for their build/publish paths.
Reviewed changes
Copilot reviewed 21 out of 21 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/validate-spectral.yml | Runs Spectral validation under Node 24. |
| .github/workflows/validate-renovate.yml | Runs Renovate config validation under Node 24. |
| .github/workflows/validate-lockfile.yml | Runs lockfile platform validation under Node 24. |
| .github/workflows/s3-docs-sync.yml | Uses Node 24 for docs build/sync job environment. |
| .github/workflows/license-scanning-node.yml | Updates the Node matrix from 22.x to 24.x for license scanning. |
| .github/workflows/cve-scanning-node.yml | Uses Node 24 for node-based CVE scanning/build step. |
| .github/workflows/build-vscode-extension.yml | Builds/packages/publishes the VS Code extension under Node 24. |
| .github/workflows/build-shared.yml | Builds/tests shared workspace under Node 24. |
| .github/workflows/build-docs.yml | Builds docs workspace under Node 24. |
| .github/workflows/build-cli.yml | Builds/tests CLI workspace under Node 24. |
| .github/workflows/build-calm-widgets.yml | Builds/tests calm-widgets workspace under Node 24. |
| .github/workflows/build-calm-studio.yml | Builds/lints/tests + E2E for CALM Studio under Node 24. |
| .github/workflows/build-calm-studio-desktop.yml | Desktop build jobs for CALM Studio under Node 24. |
| .github/workflows/build-calm-server.yml | Builds/tests CALM Server under Node 24. |
| .github/workflows/build-calm-models.yml | Builds/tests calm-models under Node 24. |
| .github/workflows/build-calm-hub-ui.yml | Builds/tests calm-hub-ui under Node 24. |
| .github/workflows/build-calm-guard.yml | Builds/tests calm-guard under Node 24. |
| .github/workflows/build-and-sync-advent.yml | Uses Node 24 for Advent-of-CALM build/sync workflow. |
| .github/workflows/automated-release.yml | CLI automated release/publish workflow now runs Node 24 throughout. |
| .github/workflows/automated-release-calm-studio.yml | CALM Studio automated release workflow now runs Node 24. |
| .github/workflows/automated-release-calm-server.yml | CALM Server automated release/publish workflow now runs Node 24 throughout. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 | ||
| with: | ||
| node-version: 22 | ||
| node-version: 24 |
There was a problem hiding this comment.
Thanks - acknowledged but not making the change.
actions/setup-node@v6 with node-version: 24 resolves to the latest 24.x in the GitHub-hosted runner toolcache, which on ubuntu-latest is well above 24.10 today. There is no realistic resolution path to an earlier 24.x minor on hosted runners. Node 24.0.0 already shipped with npm 11.3 and 24.10 ships npm 11.5+, so Trusted Publishing is satisfied at the floor regardless.
Pinning only the publish jobs to 24.10.x would also create a drift between the publish toolchain and the build/test toolchain that produces the artifact we publish, which feels worse than the theoretical reproducibility win.
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 | ||
| with: | ||
| node-version: 22 | ||
| node-version: 24 |
There was a problem hiding this comment.
Thanks - acknowledged but not making the change.
actions/setup-node@v6 with node-version: 24 resolves to the latest 24.x in the GitHub-hosted runner toolcache, which on ubuntu-latest is well above 24.10 today. There is no realistic resolution path to an earlier 24.x minor on hosted runners. Node 24.0.0 already shipped with npm 11.3 and 24.10 ships npm 11.5+, so Trusted Publishing is satisfied at the floor regardless.
Pinning only the publish jobs to 24.10.x would also create a drift between the publish toolchain and the build/test toolchain that produces the artifact we publish, which feels worse than the theoretical reproducibility win.
|
@markscott-ms can you please take a look if you get a min |
Renovate's hosted runner uses npm 10 by default, which raises EOVERRIDE when re-resolving the workspace tree against the dompurify override (`^3.4.0`) and other caret-range overrides. The lockfile regen step then aborts and Renovate ships package.json updates with a stale package-lock.json, breaking every npm-based CI job on the resulting PR. npm 11.5+ handles the same overrides scenario without erroring. Adding `packageManager: npm@11.12.1` is the standard Corepack-honored signal to pick a specific npm; Renovate respects it, and it also pins local dev and any non-explicit CI step onto the same npm so all three stay aligned. Closes #2415. Sequenced after #2414 (CI Node 24 / npm 11).
Description
Bumps the Node.js version pinned in every CI workflow from 22 to 24 to restore npm Trusted Publishing (OIDC), which has been silently broken since #2397 was merged.
Root cause
@finos/calm-cli@1.39.0did not publish to npm on 2026-05-02 (run 25255770432). ThePublish to NPMstep failed with:This is npm's masked-403 response when the auth identity is not authorized to publish a scoped package. Querying the registry confirms the last successful publish (1.37.0, 2026-04-01) used Trusted Publishing rather than the bearer token:
OIDC trusted publishing requires npm 11.5+. Node 22.22.x ships npm 10.9.7, so since #2397 removed the
npm install -g npm@11step the publish job has been quietly falling back to bearer-token auth.Why Node 24 (not re-add the global upgrade)
The
npm install -g npm@11step was removed in #2397 because it crashed mid-install on Node 22 withCannot find module 'promise-retry'- a known regression in npm 10.9.7's self-upgrade path. Reintroducing it would flip back to the previously-broken state. Node 24 ships npm 11 in-the-box, ending the cycle.Other notes:
package.jsonalready declaresnode: \"^22.14.0 || >=24.10.0\", so no engines change is required.docs,calm-suite/calm-studio,calm-suite/calm-studio/docs-site,calm-suite/calm-guard/docs) all accept>=20.Normalization
While here, the mix of
node-version: v22,22,'22', and['22.x']across 21 workflow files has been normalized to a singlenode-version: 24(matrix entry kept as['24.x']).Type of Change
Affected Components
Testing
CI on this PR will exercise every affected workflow. To fully verify the publish path, after merge the next
cli-v1.x.xrelease run should show_npmUser: GitHub Actions <npm-oidc-no-reply@github.com>again on the published version. Recommend cuttingcli-v1.39.1to re-exercise the path - thecli-v1.39.0git tag and GitHub Release already exist (publish silently dropped at the npm step), and a patch release is cleaner than retrofit-publishing the same version.Checklist
Related
Re-fixes #2397 (the previous fix's premise that the global npm 11 upgrade was unnecessary turned out to be incorrect).