From 2866f7a8574f5b33a29f31c732f85d32a4761c6a Mon Sep 17 00:00:00 2001
From: Simon Davies <simongdavies@users.noreply.github.com>
Date: Thu, 23 Apr 2026 18:02:31 +0100
Subject: [PATCH] fix npm install

Signed-off-by: Simon Davies <simongdavies@users.noreply.github.com>
---
 .github/workflows/publish.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 1598462..b681b52 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -188,8 +188,16 @@ jobs:
 
       # Trusted publishing requires npm >=11.5.1 for OIDC token exchange.
       # Pin to ^11.5.1 so we don't silently get an older 11.x that lacks OIDC.
+      #
+      # Bootstrap via `npx` rather than `npm install -g npm@...` — the latter
+      # hits a long-standing npm self-upgrade bug (reproduces on github-hosted
+      # runners too) where mid-reify npm unlinks its own `promise-retry` dep
+      # and dies with MODULE_NOT_FOUND. Using a fresh npx-fetched npm to
+      # install itself globally sidesteps the half-upgraded state entirely.
       - name: Upgrade npm for trusted publishing
-        run: npm install -g npm@^11.5.1 && npm --version
+        run: |
+          npx --yes npm@^11.5.1 install -g --force npm@^11.5.1
+          npm --version
 
       - name: Download npm tarball
         uses: actions/download-artifact@v8