From eaf32fd4c84b7603c3064bb3afbab8082dc8cc31 Mon Sep 17 00:00:00 2001 From: Sutu Sebastian Date: Mon, 6 Jul 2026 14:18:18 +0300 Subject: [PATCH] =?UTF-8?q?ci(release):=20use=20setup-node@v6=20tag=20?= =?UTF-8?q?=E2=80=94=20the=20pinned=20SHA=20was=20an=20orphaned=20tag-obje?= =?UTF-8?q?ct=20SHA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pinning to the v6 major tag's commit SHA is fragile: v6 is a moving lightweight tag, and a new v6.x release orphaned/GC'd the commit the SHA pointed to → GitHub Actions couldn't resolve it ("unable to find version 48b55a0…", 422 on direct commit lookup). Use the moving @v6 tag directly (matches oven-sh/setup-bun@v2 precedent in .github/actions/setup); dependabot keeps it current. Trusted-publishing behavior unchanged. --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 54317dd..c86c42d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -34,7 +34,7 @@ jobs: # npm 10.x in PATH → `npm publish` can't detect OIDC → ENEEDAUTH. # Node 24 ships npm 11.x; npm then auto-authenticates via OIDC (no token). - name: Setup Node + npm for trusted publishing - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9f7362e8dae4041e # v6 + uses: actions/setup-node@v6 with: node-version: "24" registry-url: "https://registry.npmjs.org"