Skip to content

fix(ci): remove npm@latest install step that broke audit job#2950

Merged
rinatkhaziev merged 2 commits into
trunkfrom
copilot/fix-verify-signatures-job
Jul 10, 2026
Merged

fix(ci): remove npm@latest install step that broke audit job#2950
rinatkhaziev merged 2 commits into
trunkfrom
copilot/fix-verify-signatures-job

Conversation

Copilot AI commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

npm@latest (v12+) dropped npm-shrinkwrap.json support in npm ci, requiring package-lock.json exclusively. Since this repo uses npm-shrinkwrap.json (intentional — publishes lockfile with the package), the "Verify signatures and provenance statements" job was failing.

Changes

  • .github/workflows/ci.yml: Remove npm install -g npm@latest from the audit job — the Node LTS runner ships npm 11.16.0, which supports both npm-shrinkwrap.json and npm audit signatures (available since npm 8.13.0). This aligns the audit job with checks and test, neither of which ever needed this step.

Copilot AI changed the title [WIP] Fix the failing GitHub Actions job 'Verify signatures and provenance statements' fix(ci): remove npm@latest install step that broke audit job Jul 10, 2026
Copilot AI requested a review from rinatkhaziev July 10, 2026 16:04
@rinatkhaziev rinatkhaziev marked this pull request as ready for review July 10, 2026 16:04
@sonarqubecloud

Copy link
Copy Markdown

@github-actions

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@rinatkhaziev rinatkhaziev merged commit 82b8c05 into trunk Jul 10, 2026
19 checks passed
@rinatkhaziev rinatkhaziev deleted the copilot/fix-verify-signatures-job branch July 10, 2026 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants