Trusted Publishing path: `npm install -g npm@latest` fails on GitHub Actions (MODULE_NOT_FOUND: promise-retry)

[SmarterPapa]

Summary

When ioBroker/testing-action-deploy@v1 runs the Trusted Publishing / OIDC path (npm-token not set), it executes npm install -g npm@latest before npm publish. On GitHub-hosted runners (ubuntu-latest) with Node 22, that global upgrade fails with:

npm error code MODULE_NOT_FOUND
npm error Cannot find module 'promise-retry'

Adapters that need a reliable CI publish are then forced to pass npm-token, which works (that path skips the global npm upgrade) but triggers ioBroker.repochecker [W3019] (“Trusted publishing will not work while npm-token is set”).

Steps to reproduce

1. Use a workflow whose deploy job calls ioBroker/testing-action-deploy@v1 without the npm-token input (only github-token, build, node-version, etc.).
2. Push a version tag so the deploy job runs on ubuntu-latest.
3. Observe failure in the “Publish package to npm” step when the action runs npm install -g npm@latest.

Evidence

• Example failing run (OIDC path, no npm-token):
  https://github.com/SmarterPapa/ioBroker.ultrahuman/actions/runs/24214427022/job/70655999123
  (deploy job log shows using trusted installer ... then MODULE_NOT_FOUND / promise-retry.)

• Same workflow with npm-token set completes npm publish successfully on the same runner image.

Environment

• Runner: ubuntu-latest (GitHub-hosted)
• Node: 22.x via actions/setup-node@v4
• Bundled npm before upgrade: 10.9.7 (typical for Node 22.22.x on Actions)
• Action: ioBroker/testing-action-deploy@v1 (composite; publish step from action.yml on master)

Likely upstream relation

This matches broader reports of npm install -g npm@latest failing on Node 22 (missing / broken dependency resolution during self-upgrade), e.g. npm/cli #9151:
npm/cli#9151

Suggested directions (for this action)

Any approach that avoids a broken self-upgrade on GHA would unblock OIDC-only publishes and let adapters drop npm-token (clearing W3019):

1. Optional input e.g. skip-global-npm-upgrade / npm-cli-version — when Trusted Publishing already works with the runner’s bundled npm, skip npm install -g npm@latest or pin a known-good npm version instead of @latest.
2. Document the Node/npm matrix where the current bootstrap is known to fail, and recommend npm-token only as a temporary workaround until npm fixes the regression.
3. Coordinate with npm if the fix belongs in the npm CLI rather than the action.

Impact

• ioBroker adapter maintainers must choose between a failing OIDC publish or a working token publish + permanent W3019 warning in the repository checker.
• Security / hygiene: OIDC + Trusted Publishers is preferable to long-lived tokens when it works.

Thank you for maintaining this shared action — happy to help test a fix or provide more logs if needed.

---

Context: ioBroker.ultrahuman maintainer; repochecker W3019 / PR discussion in ioBroker.repositories#5600.

[mcm1957]

Problem is known and has been discussed several times at out telegram channels.

Please update workflow to use node.js 24.

And please avoid AI "solutions" ...

[SmarterPapa]

@mcm1957 Thanks for the pointer — I missed that Node 24 was already the agreed fix in the Telegram discussions.

I have updated ioBroker.ultrahuman CI accordingly: deploy + lint now use Node.js 24, and npm-token is removed so publishing goes through Trusted Publishing only.

Sorry about the overly long first post here; I will keep future notes short and closer to the project style.

[mcm1957]

The problem for this issue is that npm has troubles within their structure to update form npm 20 / 22 to the lasted npm release which is needed for trusted publishing. So the solution is to explicitly use node 24 as this allows the update to the latest release. The problem must be fixed within the npm infrastructure.

And as this problem is ruther new AIs most likely do not know it and contruct more or less creativ bute wrong workarounds. So in general please do not let an AI modify the standard workflows. This is most likely not needed and / or wrong.

Feel free to ask if you have any problem. No problem to help by me and many others.

Thanks,.