CI: Fix #831 - Pinned npm version with corepack (#832)

* chore: add `corepack`'s `packageManager` pin for `npm@11.14.1`

* chore: adapt gh actions to `corepack` package manager install

* fix: sync `package-lock.json` versions

* chore: unify `actions/setup-node` version to `v4.4.0`

* chore: update `packageManager` pin to `npm@11.16.0`

* chore: install `corepack@0.35.0` before enabling to fix signature verification errors

* chore: allow `fsevents` install scripts in package configuration

* chore: execute `audit fix` script

* chore: exclude `.claude` from git

* chore: simplify corepack setup and update Node versions in CI workflows

Both workflows now pin Node 22.22.3 — which bundles corepack 0.34.6 carrying both the legacy jl3b… and rotated DhQ8… npm registry keys — and the npm install --global corepack@... workaround steps are no longer needed

Author: oleksandr-danylchenko

.github/workflows/ci-build-test.yml

@@ -20,8 +20,16 @@ jobs:
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
-        with: 
-          node-version:  ${{ matrix.node-version }}
+        with:
+          node-version: ${{ matrix.node-version }}
+      # setup-node must be called twice to correctly cache corepack-managed npm.
+      # See: https://github.com/actions/setup-node/issues/531#issuecomment-3335630863
+      - name: Enable Corepack
+        shell: bash
+        run: corepack enable npm
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          cache: npm
       - name: Install dependencies
         timeout-minutes: 10
         run: |

.github/workflows/publish-npm.yml

@@ -13,11 +13,18 @@ jobs:
      id-token: write
    steps:
      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-     - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1
+     - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
-         node-version: '18.x'
+         node-version: '22'
          registry-url: 'https://registry.npmjs.org'
-     - run: npm install -g npm
+     # setup-node must be called twice to correctly cache corepack-managed npm.
+     # See: https://github.com/actions/setup-node/issues/531#issuecomment-3335630863
+     - name: Enable Corepack
+       shell: bash
+       run: corepack enable npm
+     - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+       with:
+         cache: npm
      - run: npm ci
      - run: npm publish --provenance --access public
        env:

.gitignore

@@ -30,3 +30,6 @@ Icon
 # Files that might appear on external disk
 .Spotlight-V100
 .Trashes
+
+# Agents
+.claude

package-lock.json

@@ -304,5 +304,10 @@
       "type": "github",
       "url": "https://github.com/sponsors/faisalman"
     }
-  ]
+  ],
+  "packageManager": "npm@11.16.0+sha512.03be172fc3b199c7a06433163e459be5b110a6983c1dd6305b7ac10f6b0fa12e1440755a8df6b1064ab2ccb789df0474919fb9c684e322dc57685ede21752ccb",
+  "allowScripts": {
+    "fsevents@2.1.3": true,
+    "fsevents@2.3.2": true
+  }
 }