From df802019269ffc9be1d65c074c13292052c0208a Mon Sep 17 00:00:00 2001
From: Sambhav Aggarwal <4591834+sambhav-aggarwal@users.noreply.github.com>
Date: Sun, 3 May 2026 16:52:48 +0530
Subject: [PATCH] Pin CI Node to 24.14.x for deterministic publishes

Floating 24.x means a future Node 24 minor (which can change the
bundled npm) could silently break tag publishes without any repo
change. Pin to 24.14 (last known-good for OIDC); allow patch updates
within that minor for security fixes. Bump deliberately when needed.
---
 .github/workflows/publish.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index edfd02e..7c78179 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -15,7 +15,9 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 24.x
+          # Pinned to a minor that ships npm >=11.5.1 (required for OIDC
+          # trusted publishing). Bump deliberately, not implicitly via 24.x.
+          node-version: 24.14.x
           cache: npm
       - run: npm ci
       - run: npm run build