Problem deploying to Oxygen using the Shopify Github action

I have reproduced the issue on the latest CLI version.

Yes, I am on the latest version

I have searched existing posts and this report is not a duplicate.

Yes, this isn’t a duplicate

In which of these areas are you experiencing a problem?

Hydrogen custom storefront

Expected behavior

Shopify github action should complete successfully and deploy the branch to Oxygen

Actual behavior

The action fails when npx shopify hydrogen deploy runs in the Ubuntu container with: Uncommitted changes detected: M package-lock.json w

Reproduction steps

Our site is built using Hydrogen. When we push a branch to github, an action runs that deploys to an oxygen server hosted by shopify using a github action. The yml file for this action was introduced by a PR opened by Shopify.

The issue we are running into happens during the github action. To clarify, we see this issue on our hosted github web page, in the action, when the action runs, triggered by a git push from my local machine.

This issue happens during the npx shopify hydrogen deploy kicked off by the action/yml - so the deployments are not happening when this occurs. As a result, we do not see any issues on the deployments page

We first noticed this issue on Oct 29 at 2:23 PM PDT. The deployment before that was Oct 28, 12:08 PM PDT which executed successfully.

The solution provided by Shopify support so far is to add the force flag to our yml file on line 38:
run: npx shopify hydrogen deploy --force

However, we’re not comfortable using this in production as it bypasses safety checks.

We also tried adding a --no-lockfile-check flag instead of –force; but, this did not resolve the issue.

I’m not aware of any code changes that triggered this issue. I tested that by going back to a branch from a few days before this that deployed successfully at that time. Upon rerunning the job, the issue occurred again despite having no code changes in the branch. I have included the debug log from that below.

The package-lock file is not included in these PRs and there are no changes to it that I am aware of. I do not see any uncommitted changes in github and I don’t think our current ecosystem allows uncommitted changes to be pushed. However, to help rule out issues with our lockfile, I have tried adding a space to it, committing and deploying. But forcing a commit in this way does not resolve the issue.

Verbose output

##[debug]Evaluating: secrets.OXYGEN_DEPLOYMENT_TOKEN_1000003613

##[debug]Evaluating Index:

##[debug]..Evaluating secrets:

##[debug]..=> Object

##[debug]..Evaluating String:

##[debug]..=> ‘OXYGEN_DEPLOYMENT_TOKEN_1000003613’

##[debug]=> ‘***’

##[debug]Result: ‘***’

##[debug]Evaluating condition for step: ‘Build and Publish to Oxygen’

##[debug]Evaluating: success()

##[debug]Evaluating success:

##[debug]=> true

##[debug]Result: true

##[debug]Starting: Build and Publish to Oxygen

##[debug]Loading inputs

##[debug]Loading env

Run npx shopify hydrogen deploy

##[debug]/usr/bin/bash -e /home/runner/work/_temp/da303b35-b05d-4041-89a3-ec43e6a01614.sh

╭─ error ──────────────────────────────────────────────────────────────────────╮

│ │

│ Uncommitted changes detected: │

│ │

│ M package-lock.json │

│ │

│ Next steps │

│ • Commit your changes before deploying or use the --force flag to │

│ deploy with uncommitted changes. │

│ • If you are using npm, try running npm ci to avoid changes to │

│ package-lock.json. │

│ │

╰──────────────────────────────────────────────────────────────────────────────╯

Error: Process completed with exit code 1.

##[debug]Finishing: Build and Publish to Oxygen

Operating system

OSX Tahoe 26.0.1

CLI version

3.86.1

Shell

zsh

Nodejs version

v22.12.0

What language and version are you using in your application?

Typescript 5.8.3 | React 18.2.0 | Hydrogen 2025.5.0

I’m encountering this issue too (discovered on the same day this post was added).
Same error exactly.

I’m on a much older version of everything - so I guess we can rule that out (not sure about node/npm will have to check). 2024.7.x for the hydrogen part (I know, I know).

Last publish was 27 days ago and has worked flawless almost every time until now - so I can’t tell you exactly how recently the issue came about.

All that’s changed locally was that I added a carousel to my package.json but that’s the only difference from the last publish.

I’ve tried changing package-lock.json (version number) and then back again to check in. But it’s clearly checked into the code as I can read the updated package-lock file in GitHub code - so it IS checked in.

Therefore the error message doesn’t make sense as the file is checked in i.e. not modified.

It must be on the Shopify side because it’s during the deployment via GitHub / their servers.

I’ve been relying on package-lock to maintain specific versions for deployments which means I don’t have the option to force. Upgrading site in January but not just before Christmas (for obvious reasons).

I’ve been working on a great new feature with 3D previews and everything and I’m super keen to get it published asap - but as of this moment, I can’t publish.

Please let me know if you find a fix

Dan.

You might also wish to log an issue on the Hydrogen GitHub page - Shopify devs are there and they are far more responsive than on this community site…

Dan.

1. Thank you Dan, I took the following steps:
2. On the github page, I clicked on “new issue”
3. On the modal window, I clicked on “bug report”
4. That took me to community.shopify.dev
5. I created the current issue here

Please LMK if you have had a different experience

Hi Dan

Sorry to hear you’re running into the issue as well.

One thing we noticed is that the –force flag documentation indicates that it only bypasses uncommitted files. That said, the risk of uncommitted files created by deployment or future effects under a generic flag name like “force” remain a concern.

I’ll keep you updated on any additional learnings we get.

Hey @Mark_Laramee , sorry for the late reply. I want to get a little more information on this since it’s a little weird that you aren’t running into it locally. Can you confirm the results of the following scenarios so we can debug this further?

Scenario 1: What happens on local environment

• In your local machine, delete your package-lock.json and do npm i
• If you don’t generate the same package-lock as before, there may be some uncommitted changes that you should merge in

Scenario 2: Do you have the workflow do npm i?

• Check to make sure the workflow file for GitHub in your repo isn’t doing npm i and is doing npm ci

Scenario 3: Do you have a private npm registry?

• There has been issues previously with some users where they were using a private registry (usually one provided by the company) to fetch npm libraries.
• One way to test this out is to see what package-json.lock actually looks like by adding an extra step into the workflow file:

  •       - name: Run git diff
            run: git diff package-lock.json
    

• See what got changed and let me know

Hi Alok,

Thanks for taking some time to look into this issue. Adding the git diff into the yml file was extremely helpful advice. (Just a note: we don’t have our own npm registry.)

One thing I surfaced was that the npm versions were mismatched. I changed locally to 11.6.1 which is the version the container is running. After that, it did generate a different lock file. However, the issue still exists. Possibly due to other configuration mismatches.

I did a sanity check by deleting the lock file again and even doing a fresh repo install. No subsequent lock file changes and the deployment issue still exists. I’m continuing to look into resolutions for these differences including checking our 3rd party modules. If you have any further insights they’d be greatly appreciated.

Here is the latest output of the git diff:
diff --git a/package-lock.json b/package-lock.json
index 791c4d1..eb13c92 100644
— a/package-lock.json
+++ b/package-lock.json
@@ -2214,24 +2214,6 @@
“node”: “^14.17.0 || ^16.13.0 || >=18.0.0”
}
},

• “node_modules/@parcel/watcher-darwin-x64”: {
• “version”: “2.5.1”,
• “cpu”: [
• “x64”
• ],
• “license”: “MIT”,
• “optional”: true,
• “os”: [
• “darwin”
• ],
• “engines”: {
• “node”: “>= 10.0.0”
• },
• “funding”: {
• “type”: “opencollective”,
• “url”: “https://opencollective.com/parcel”
• }
• },
  “node_modules/@peculiar/asn1-schema”: {
  “version”: “2.5.0”,
  “dev”: true,
  @@ -3665,7 +3647,7 @@
  },
  “node_modules/braces”: {
  “version”: “3.0.3”,
• “devOptional”: true,

• “dev”: true,
  “license”: “MIT”,
  “dependencies”: {
  “fill-range”: “^7.1.1”
  @@ -4395,17 +4377,6 @@
  “node”: “>=8”
  }
  },

• “node_modules/detect-libc”: {
• “version”: “1.0.3”,
  “node_modules/micromatch”: {
  “version”: “4.0.8”,
• “devOptional”: true,

• “dev”: true,
  “license”: “MIT”,
  “dependencies”: {
  “braces”: “^3.0.3”,
  @@ -7495,11 +7466,6 @@
  “tslib”: “^2.0.3”
  }
  },

• “node_modules/node-addon-api”: {
• “version”: “7.1.1”,
• “license”: “MIT”,
• “optional”: true
• },
  “node_modules/node-domexception”: {
  “version”: “1.0.0”,
  “dev”: true,
  @@ -8109,7 +8075,7 @@
  },
  “node_modules/picomatch”: {
  “version”: “2.3.1”,
• “devOptional”: true,

• “dev”: true,
  “license”: “MIT”,
  “engines”: {
  “node”: “>=8.6”
  @@ -9519,7 +9485,7 @@
  },
  “node_modules/to-regex-range”: {
  “version”: “5.0.1”,

• “devOptional”: true,

• “dev”: true,
  “license”: “MIT”,
  “dependencies”: {
  “is-number”: “^7.0.0”

Hey @Mark_Laramee to verify one more time, can you check Scenario 2. I have a strong suspicion that you are running npm i or npm install under “Install dependencies” section instead of npm ci.

npm install: installs all packages but also updates the package-lock

npm ci: installs packages as per package-lock when provided, but never changes it

This workflow file is probably out of date, if you want to see what a new workflow file looks like, create a new hydrogen repo using npx shopify hydrogen init and check it out.

If you made modifications to the workflow file, it may be the reason why it was not updated automatically.

Thanks Alok,

I updated the yml file to change npm install to npm ci. This is the output I got during deploy:

Run npm ci

added 894 packages, and audited 895 packages in 26s

205 packages are looking for funding
run npm fund for details

5 moderate severity vulnerabilities

To address issues that do not require attention, run:
npm audit fix

To address all issues (including breaking changes), run:
npm audit fix --force

Run npm audit for details.

Run npx shopify hydrogen deploy
Building project…
Build failed with: Build function failed with error: Error: Cannot find module @rollup/rollup-linux-x64-gnu. npm has a bug related to optional dependencies (https://github.com/npm/cli/issues/4828). Please try npm i again after removing both package-lock.json and node_modules directory., cancelling build.
╭─ error ──────────────────────────────────────────────────────────────────────╮
│ │
│ Build function failed with error: Error: Cannot find module │
│ @rollup/rollup-linux-x64-gnu. npm has a bug related to optional │
│ dependencies (https://github.com/npm/cli/issues/4828). Please try npm i │
│ again after removing both package-lock.json and node_modules directory. │
│ │
│ To investigate the issue, examine this stack trace: │
│ at Error: Build function failed with error: Error: Cannot find module │
│ at (home/runner/work/hydrogen-summersalt/hydrogen-summersalt/node_module │
│ s/@shopify/cli/dist/index.js:202056) │
│ at async createDeploy (home/runner/work/hydrogen-summersalt/hydrogen-sum │
│ mersalt/node_modules/@shopify/cli/dist/index.js:202221) │
│ at async runDeploy (home/runner/work/hydrogen-summersalt/hydrogen-summer │
│ salt/node_modules/@shopify/cli/dist/index.js:202803) │
│ at run (home/runner/work/hydrogen-summersalt/hydrogen-summersalt/node_mo │
│ dules/@shopify/cli/dist/index.js:202523) │
│ at _run (home/runner/work/hydrogen-summersalt/hydrogen-summersalt/node_m │
│ odules/@shopify/cli/dist/chunk-X2YIODUW.js:170583) │
│ at runCommand (home/runner/work/hydrogen-summersalt/hydrogen-summersalt/ │
│ node_modules/@shopify/cli/dist/chunk-X2YIODUW.js:169499) │
│ at run (home/runner/work/hydrogen-summersalt/hydrogen-summersalt/node_mo │
│ dules/@shopify/cli/dist/chunk-X2YIODUW.js:170794) │
│ at async launchCLI (home/runner/work/hydrogen-summersalt/hydrogen-summer │
│ salt/node_modules/@shopify/cli/dist/chunk-HUR6MF6D.js:33) │
│ at async runShopifyCLI (home/runner/work/hydrogen-summersalt/hydrogen-su │
│ mmersalt/node_modules/@shopify/cli/dist/index.js:230289) │
│ │
╰──────────────────────────────────────────────────────────────────────────────╯

Error: Process completed with exit code 1.

@DanAbdn

I think I have a working version. Here are the steps that led to this:

1. Add the following to the Github Action yml file
   • name: npm version
     run: npm --version
   • name: node version
     run: node -v
   • name: Run git diff
     run: git diff package-lock.json
2. Make sure your local versions for node and npm match the Action environment
3. In terminal, run rm -rf node_modules package-lock.json
4. In terminal, run npm install
5. Change npm install in the yml file to the following
   • name: Install dependencies via lockfile
     run: npm ci
6. Once I updated to Node v24.11.0 and npm v11.6.1 I needed to install the following package:

   • npm install --save-dev patch-package

     Once I took those steps, I was able to push the branch to the repo and it deploys to Oxygen successfully.

     I also tried with a fresh repo install using this branch and it worked successfully.

     Thanks again @AlokSwamy for your help with this!