From dcc171a948aa0eb00a84d1007782d3e8d48ebf13 Mon Sep 17 00:00:00 2001 From: Zoltan Kochan Date: Tue, 12 May 2026 19:31:54 +0200 Subject: [PATCH] chore(ci): migrate workflows to pnpm/setup (#11589) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary Migrates CI workflows from `pnpm/action-setup` + manual `pn runtime set node …` + `pn install` to the new combined `pnpm/setup` action (see https://github.com/pnpm/setup/pull/1). `pnpm/setup` installs pnpm and the JS runtime in one step. It also runs `pnpm install` automatically when a `package.json` is present, so per-workflow install steps are dropped. When the `runtime` input is set, the action passes `--no-runtime` to `pnpm install` so the matrix-selected Node version isn't shadowed by a different `devEngines.runtime` pin. ## What changed | Workflow | Migration | |---|---| | `test.yml` | `pnpm/setup` with `runtime: node@${{ inputs.node }}`. Verify-Node step asserts the matrix version stayed active. Verify-npm step retained as canary (npm comes from the runner image, not the pnpm-installed runtime). | | `ci.yml` | `pnpm/setup` (no `runtime` input — `devEngines.runtime` in package.json handles the Node pin). | | `release.yml` | `pnpm/setup` with `runtime: node@26.0.0`. | | `benchmark.yml` | `pnpm/setup` with `runtime: node@26.0.0`. | | `audit.yml` | `pnpm/setup` with `install: false` — audit only needs pnpm itself, not `node_modules`. | | `update-lockfile.yml` | `pnpm/setup` with `install: false` — the job deletes `pnpm-lock.yaml` and regenerates it via `--lockfile-only`, so the action's auto-install would be wasted. | | `update-latest.yml` | Untouched — it only uses npm, no pnpm setup needed. | ## Caveats / things to watch - **npm availability.** `pnpm runtime set node` does not extract npm. The runner image's pre-installed Node toolchain provides `npm` on PATH; if a future runner image change removes that, dlx-style git-hosted dependency tests in `test.yml` will fail. The `Verify npm` step in `test.yml` is the canary. ## Related upstream change - [pnpm/setup#3](https://github.com/pnpm/setup/pull/3) — added the `install` input so callers like `audit.yml` and `update-lockfile.yml` can opt out of the action's auto-install. --- .github/workflows/audit.yml | 4 ++-- .github/workflows/benchmark.yml | 14 +++----------- .github/workflows/ci.yml | 7 +------ .github/workflows/release.yml | 11 +++-------- .github/workflows/test.yml | 20 ++++++++------------ .github/workflows/update-lockfile.yml | 10 ++++------ 6 files changed, 21 insertions(+), 45 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 43424823d7..5e7a91919c 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -14,8 +14,8 @@ jobs: - name: Checkout Commit uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 + uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b with: - standalone: true + install: false - name: Audit run: pn audit diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 47a4fc7512..19d32a560d 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -46,24 +46,16 @@ jobs: git checkout "origin/pr-${PR_NUMBER}" echo "Checked out PR #$PR_NUMBER at $(git rev-parse --short HEAD)" - - name: Install pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 + - name: Install pnpm and Node + uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b with: - standalone: true - - - name: Setup Node - run: pnpm runtime -g set node 26.0.0 - timeout-minutes: 2 + runtime: node@26.0.0 - name: Install hyperfine run: | wget -q https://github.com/sharkdp/hyperfine/releases/download/v1.18.0/hyperfine_1.18.0_amd64.deb sudo dpkg -i hyperfine_1.18.0_amd64.deb - - name: Install dependencies - run: pnpm install - timeout-minutes: 5 - - name: Compile run: pnpm run compile diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b622739376..3c16ef5170 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,12 +19,7 @@ jobs: - name: Checkout Commit uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 - with: - standalone: true - - name: pnpm install - run: pn install - timeout-minutes: 3 + uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b - name: Compile TypeScript run: pn compile-only - name: Lint diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 65dd07a02d..5a0b1d595d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,15 +22,10 @@ jobs: steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Install pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 + - name: Install pnpm and Node + uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b with: - standalone: true - - name: Setup Node - run: pn runtime -g set node 26.0.0 - timeout-minutes: 2 - - name: pnpm install - run: pn install + runtime: node@26.0.0 # The publish phase is split into three sequential steps to control which packages # use trusted publishing (OIDC) vs. a static token. `pnpm publish` currently bails # out of OIDC as soon as a static `_authToken` is configured, so the only way to diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6c0c4e6195..de7ca00d42 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -30,19 +30,10 @@ jobs: git config --global user.email "x@y.z" - name: Checkout Commit uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Install pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 + - name: Install pnpm and Node + uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b with: - standalone: true - - name: Setup Node - run: pn runtime -g set node ${{ inputs.node }} - timeout-minutes: 2 - # npm is needed for preparing git-hosted dependencies (e.g. in dlx tests) - - name: Verify npm - run: npm --version - - name: pnpm install - run: pn install --no-runtime - timeout-minutes: 3 + runtime: node@${{ inputs.node }} - name: Verify Node version shell: bash run: | @@ -52,6 +43,11 @@ jobs: echo "Expected Node version $expected but got $actual" exit 1 fi + # npm is needed for preparing git-hosted dependencies (e.g. in dlx tests). + # `pnpm runtime set node` does not extract npm; the runner image's + # pre-installed Node toolchain provides it on PATH. + - name: Verify npm + run: npm --version - name: Download compiled artifacts uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 with: diff --git a/.github/workflows/update-lockfile.yml b/.github/workflows/update-lockfile.yml index 955cc04abe..ff63ebd655 100644 --- a/.github/workflows/update-lockfile.yml +++ b/.github/workflows/update-lockfile.yml @@ -19,14 +19,12 @@ jobs: with: token: ${{ secrets.UPDATE_LOCKFILE_TOKEN }} + # The job deletes the lockfile and regenerates it with `--lockfile-only`, + # so skip the action's auto-install — it would just be wasted work. - name: Install pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 + uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b with: - standalone: true - - - name: Setup Node - run: pnpm runtime -g set node 24.6.0 - timeout-minutes: 2 + install: false - name: Update lockfile run: |