Update to use latest corepack version with updated npm registry keys

[koodiohto]

Description:

Currently all our GitHub Actions workflows which use actions/setup-node@v4 fail for error:

/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:21535
  if (key == null || signature == null) throw new Error(`Cannot find matching keyid: ${JSON.stringify({ signatures, keys })}`);
                                              ^

Error: Cannot find matching keyid: {"signatures":[{"sig":"MEQCIHGqHbvc2zImUPEPFpT4grh6rMYslel+lAjFArx8+RUdAiBfnJA+bgmUvO5Lctfkq+46KKDQdx/8RhLPge3pA+EdHA==","keyid":"SHA256:DhQ8wR5APBvFHLF/+Tc+AYvPOdTpcIDqOhxsBHRwC7U"}],"keys":[{"expires":null,"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","key":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="}]}
    at verifySignature (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:215[35](https://github.com/fortum/global-web/actions/runs/13108856831/job/36568265864?pr=2446#step:4:37):47)
    at fetchLatestStableVersion (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:21553:5)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async fetchLatestStableVersion2 (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:21672:14)
    at async Engine.getDefaultVersion (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:22292:23)
    at async Engine.executePackageManagerRequest (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:22390:47)
    at async Object.runMain (/usr/local/lib/node_modules/corepack/dist/lib/corepack.cjs:23096:5)

I think the actions/setup-node@v4 should use the latest release version of corepack where the npm registry keys have been updated.

Action version:
v4

Platform:

• Ubuntu

Runner type:

• Hosted

Tools version:

Node.js: 20.18.2
Package Manager: pnpm 9.x

Repro steps:
Use the actions/setup-node@v4 in a GitHub Actions workflow.

Expected behavior:
The setup-node action should install Node.js and configure the package manager without encountering Corepack signature verification errors.

Actual behavior:
The setup-node fails immediately due to Corepack being unable to verify the signature of the npm registry key.

[pi0]

A quick workaround is using below instead of corepack: enable

run: npm i -g --force corepack && corepack enable

[gowridurgad]

Hi @koodiohto,
Thank you for creating this issue. We will investigate it and provide feedback as soon as we have some updates.

[Jason3S]

@gowridurgad,

The workaround: npm i -g --force corepack does not work on Windows runners.

Log: 3_Install.txt

Workaround for windows is to only run on Node 23.x since it has the latest version of corepack.

[HarithaVattikuti]

Hello everyone,

The setup-node action does not handle Corepack directly. Corepack is included with the official Node.js binary.

As Koodiohto correctly mentioned,, Corepack updated npm registry keys in the latest version. The issue appears to be due to Corepack 0.29.4 bundled with Node.js 20.18.2, which doesn't include the updated npm registry keys. The relevant issue in nodejs/corepack might be worth following for any updates from the node.js team.

To fix this issue we recommend using the latest Node.js versions if possible. Alternatively, as a potential workaround, you can use the pnpm/action-setup action before the actions/setup-node step to manage your package manager setup as shown below:

- uses: pnpm/action-setup@v4
  with:
    version: 9
- name: Setup Node.js
  uses: actions/[email protected]
  with:
    node-version: '20.18.2'

Hope this helps!

Please feel free to reach out in case of further concerns.

Thankyou!