ci: update-npm-cli

[ryanbas21]

JIRA Ticket

N/A

Description

Ok, have to force npm cli because it was defaulting to v10 and it needs to be 11.5.1 or >

https://docs.npmjs.com/trusted-publishers#step-2-configure-your-cicd-workflow

Summary by CodeRabbit

• Chores
  • CI workflows now update npm to the latest version before installing dependencies in both publish and snapshot pipelines. This pre-install step improves build consistency and release reliability across environments.
  • No changes to application behavior or public APIs. End users see no functional differences.
  • No action required for users; this is an internal build process enhancement.

[changeset-bot]

⚠️ No Changeset found

Latest commit: d4d62eb

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Adds a pre-install “Update npm” step (npm install -g npm@latest) to two jobs in .github/workflows/publish.yml, placing it before pnpm install in both the publish-or-pr and snapshot flows.

Changes

Cohort / File(s)	Summary
CI workflow: publish pipeline adjustments \.github/workflows/publish.yml	Inserted a new step “Update npm” (npm install -g npm@latest) in two jobs, executed prior to pnpm install, affecting both publish-or-pr and snapshot job sequences.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Commit/PR
    participant GH as GitHub Actions
    participant Runner as Job Runner
    participant NPM as npm
    participant PNPM as pnpm

    Dev->>GH: Trigger publish-or-pr / snapshot
    GH->>Runner: Start job
    rect rgba(230,240,255,0.5)
      note right of Runner: Pre-install phase (changed)
      Runner->>NPM: npm install -g npm@latest
    end
    Runner->>PNPM: pnpm install
    Runner->>Runner: Build / Test / Publish
    Runner-->>GH: Job result

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ci: use-trusted-publishers #418 — Also modifies CI publish workflows, restructuring publish jobs into a reusable trusted-publish workflow; related to changes in the same workflow area.

Suggested reviewers

• cerebrl
• ancheetah

Poem

I hop through YAML fields at night,
Nudging npm to latest height.
Before pnpm begins its run,
I flip a switch—pre-install done.
CI burrows smooth and tight,
Ship the bits—carrots in sight! 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "ci: update-npm-cli" is concise and accurately summarizes the primary change — updating the npm CLI in the CI workflow files — and is specific enough for teammates scanning history to understand the main intent.
Description Check	✅ Passed	The PR description follows the repository template by providing a JIRA Ticket field and a Description that explains why the npm CLI version is being forced and includes a relevant docs link, making the intent clear; it does not, however, explicitly state whether a changeset was added or include testing/impact notes.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch use-trusted-publishers

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit d4d62eb

Command	Status	Duration	Result
nx run-many -t build	✅ Succeeded	<1s	View ↗
nx affected -t build typecheck lint test e2e-ci	✅ Succeeded	6m 36s	View ↗
nx-cloud record -- nx format:check	✅ Succeeded	1s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-09-24 16:28:44 UTC

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/publish.yml (1)

185-187: Repeat the version pin and guard here for consistency and stability.

Mirror the same change in the snapshot job to avoid drift and surprises from latest.

Apply this diff:

-      - name: Update npm
-        run: npm install -g npm@latest
+      - name: Update npm
+        run: npm install -g npm@^11.5.1

Optionally add the same “Verify npm version” step here as well.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b34a61a and d4d62eb.

📒 Files selected for processing (1)

• .github/workflows/publish.yml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: pr

🔇 Additional comments (1)

.github/workflows/publish.yml (1)

60-62: Pin npm to a safe range and enable provenance for the publish path.

• Replace floating npm@latest in .github/workflows/publish.yml (lines 60–62) with a pinned, compatible range and add a guard. Apply:

-      - name: Update npm
-        run: npm install -g npm@latest
+      - name: Update npm
+        run: npm install -g npm@^11.5.1

• Optional CI check to enforce minimum npm:

- name: Verify npm version
  run: |
    required=11.5.1
    current=$(npm -v)
    if [ "$(printf '%s\n' "$required" "$current" | sort -V | head -n1)" != "$required" ]; then
      echo "npm $current is less than required $required"
      exit 1
    fi

• Found: package.json:18 contains ci:release: pnpm publish -r --no-git-checks && changeset tag. No occurrences of provenance were found in the repo output — ensure provenance is enabled for your publish flow (pnpm/changesets or npm via flags or publishConfig.provenance in package.json).

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.19%. Comparing base (cec2065) to head (d4d62eb).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #421   +/-   ##
=======================================
  Coverage   56.19%   56.19%           
=======================================
  Files          32       32           
  Lines        2091     2091           
  Branches      353      353           
=======================================
  Hits         1175     1175           
  Misses        916      916           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Deployed a5d7d76 to https://ForgeRock.github.io/ping-javascript-sdk/pr-421/a5d7d76dc7ee86c709c6966870a63ed0ca54da8d branch gh-pages in ForgeRock/ping-javascript-sdk

[github-actions]

📦 Bundle Size Analysis

📦 Bundle Size Analysis

➖ No Changes

➖ @forgerock/davinci-client - 34.5 KB
➖ @forgerock/sdk-utilities - 4.0 KB
➖ @forgerock/device-client - 9.2 KB
➖ @forgerock/sdk-types - 5.9 KB
➖ @forgerock/protect - 150.1 KB
➖ @forgerock/sdk-oidc - 2.5 KB
➖ @forgerock/sdk-logger - 1.6 KB
➖ @forgerock/storage - 1.4 KB
➖ @forgerock/sdk-request-middleware - 4.4 KB
➖ @forgerock/iframe-manager - 2.4 KB
➖ @forgerock/oidc-client - 23.1 KB

---

11 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated

• Current Size: Total gzipped size of all files in the package's dist directory
• Baseline: Comparison against the latest build from the main branch
• Files included: All build outputs except source maps and TypeScript build cache
• Exclusions: .map, .tsbuildinfo, and .d.ts.map files

---

_{🔄 Updated automatically on each push to this PR}