ci: install node deps before release

[austince]

Aaaaand anotha one. Could do caching, but would just like this to work first. Guess this is what happens when we update the CI and release system and don't use it for two years, hah.

Ran the build locally after a clean npm ci install and it succeeded.

https://github.com/chaijs/chai-http/runs/1972788417

[austince]

@keithamus looks like the github token doesn't have enough credentials to push the release. The minimum it needs is repo scope. Getting further though!

https://github.com/chaijs/chai-http/runs/1973616982

[keithamus]

That's weird. It should have the GITHUB_TOKEN generated from actions which has repo scope I believe.

[austince]

Maybe it can't push to the master branch, since it's protected?

[austince]

semantic-release's own CI workflow uses that token, so I'd guess it should work as well: https://github.com/semantic-release/semantic-release/blob/67dfb676bc95e42a59b0fdd85a5e1180118ed1b7/.github/workflows/release.yml#L20-L21

I've got no way currently to check out the branch protections, but that's the only thing I can think to check.

[austince]

Yeah, seems to be that, since we persist build artifacts: https://github.com/semantic-release/semantic-release/blob/master/docs/recipes/github-actions.md#pushing-packagejson-changes-to-a-master-branch

Not sure if you'd like to add a personal access token, as it seems to be a limitation of GH Actions that you can't scope secrets to branches, but we might be able to avoid overriding github_token entirely and just specify a secrets.github_release_token that's only used in the release step. Or you could just run npm run release locally?