fix: update npm before npm ci in CI workflows

[a-oren]

Description

The npm bundled with Node 24 (and now Node 22) has a bug where it passes conflicting --prefer-offline and --prefer-online flags internally when installing git dependencies, causing npm ci to fail.

This pins npm to 11.11.1 (last known working version) across all CI workflows before running npm ci.

Related issues (if any):

• fixes: #issue_number_goes_here

Checklist

• I have followed this repository's contributing guidelines.
• I will adhere to the project's code of conduct.

Additional information

Anything else?

[qodo-code-review]

Review Summary by Qodo

Update npm before npm ci in CI workflows

🐞 Bug fix

Walkthroughs

Description

• Add npm version update step before npm ci in three CI workflows
• Resolves npm bug with conflicting --prefer-offline and --prefer-online flags
• Ensures consistent npm version across all CI pipeline stages
• Extends existing workaround from publish.yml to test, release, and push-to-registry workflows

Diagram

flowchart LR
  A["CI Workflows"] --> B["Setup Node 24"]
  B --> C["Install latest npm"]
  C --> D["npm ci"]
  D --> E["Build/Test/Deploy"]

Loading

File Changes

1. .github/workflows/push-to-registry.yml 🐞 Bug fix +3/-0

Add npm update step to push-to-registry workflow

• Added step to install latest npm before npm ci
• Placed after node setup and before project module installation
• Prevents npm dependency resolution failures with git dependencies

.github/workflows/push-to-registry.yml

---

2. .github/workflows/release.yml 🐞 Bug fix +3/-0

Add npm update step to release workflow

• Added step to install latest npm before npm ci
• Placed after version bumping and before project module installation
• Ensures release workflow uses compatible npm version

.github/workflows/release.yml

---

3. .github/workflows/test.yml 🐞 Bug fix +3/-0

Add npm update step to test workflow

• Added step to install latest npm before npm ci
• Placed after skopeo setup and before project module installation
• Prevents test workflow failures due to npm version bug

.github/workflows/test.yml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0) 📐 Spec deviations (0)

1. Unpinned npm in CI 🐞 Bug ⛯ Reliability

Description

The workflows install npm@latest, making the npm version non-deterministic between runs so the
same commit can pass/fail depending on when CI executes. This also adds a runtime supply-chain
download of the build toolchain from the public registry without a fixed version.

Code

.github/workflows/test.yml[R82-83]

+      - name: Install latest npm
+        run: npm install -g npm@latest

Evidence

test.yml, release.yml, and push-to-registry.yml now run npm install -g npm@latest before
npm ci, so npm will float as new versions are published. The repo itself does not pin npm to a
specific version (it only sets a lower bound via engines.npm), so CI toolchain reproducibility is
lost.

.github/workflows/test.yml[30-87]
.github/workflows/release.yml[32-57]
.github/workflows/push-to-registry.yml[28-42]
package.json[19-22]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
CI installs `npm@latest`, which changes over time and can break/re-break workflows for the same commit.

### Issue Context
These workflows run `npm ci` and rely on npm behavior for lockfile + git dependencies. The repo only has a minimum npm version requirement.

### Fix Focus Areas
- Pin the npm version instead of `latest` (e.g., `npm@11.5.1` or a known-good patch) in:
 - .github/workflows/test.yml[82-86]
 - .github/workflows/release.yml[52-56]
 - .github/workflows/push-to-registry.yml[34-38]
- Optionally print the npm version for traceability right after installation in the same spots (e.g., `npm --version`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more