chore(ci): migrate workflows to pnpm/setup (#11589)

## Summary Migrates CI workflows from `pnpm/action-setup` + manual `pn runtime set node …` + `pn install` to the new combined `pnpm/setup` action (see https://github.com/pnpm/setup/pull/1). `pnpm/setup` installs pnpm and the JS runtime in one step. It also runs `pnpm install` automatically when a `package.json` is present, so per-workflow install steps are dropped. When the `runtime` input is set, the action passes `--no-runtime` to `pnpm install` so the matrix-selected Node version isn't shadowed by a different `devEngines.runtime` pin. ## What changed | Workflow | Migration | |---|---| | `test.yml` | `pnpm/setup` with `runtime: node@${{ inputs.node }}`. Verify-Node step asserts the matrix version stayed active. Verify-npm step retained as canary (npm comes from the runner image, not the pnpm-installed runtime). | | `ci.yml` | `pnpm/setup` (no `runtime` input — `devEngines.runtime` in package.json handles the Node pin). | | `release.yml` | `pnpm/setup` with `runtime: node@26.0.0`. | | `benchmark.yml` | `pnpm/setup` with `runtime: node@26.0.0`. | | `audit.yml` | `pnpm/setup` with `install: false` — audit only needs pnpm itself, not `node_modules`. | | `update-lockfile.yml` | `pnpm/setup` with `install: false` — the job deletes `pnpm-lock.yaml` and regenerates it via `--lockfile-only`, so the action's auto-install would be wasted. | | `update-latest.yml` | Untouched — it only uses npm, no pnpm setup needed. | ## Caveats / things to watch - **npm availability.** `pnpm runtime set node` does not extract npm. The runner image's pre-installed Node toolchain provides `npm` on PATH; if a future runner image change removes that, dlx-style git-hosted dependency tests in `test.yml` will fail. The `Verify npm` step in `test.yml` is the canary. ## Related upstream change - [pnpm/setup#3](https://github.com/pnpm/setup/pull/3) — added the `install` input so callers like `audit.yml` and `update-lockfile.yml` can opt out of the action's auto-install.
2026-05-13 11:05:52 -04:00 · 2026-05-12 19:31:54 +02:00
parent 7e3145f9fc
commit dcc171a948
6 changed files with 21 additions and 45 deletions
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -14,8 +14,8 @@ jobs:
    - name: Checkout Commit
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Install pnpm
-      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093
+      uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
      with:
-        standalone: true
+        install: false
    - name: Audit
      run: pn audit
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -46,24 +46,16 @@ jobs:
        git checkout "origin/pr-${PR_NUMBER}"
        echo "Checked out PR #$PR_NUMBER at $(git rev-parse --short HEAD)"

-    - name: Install pnpm
-      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093
+    - name: Install pnpm and Node
+      uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
      with:
-        standalone: true
-
-    - name: Setup Node
-      run: pnpm runtime -g set node 26.0.0
-      timeout-minutes: 2
+        runtime: node@26.0.0

    - name: Install hyperfine
      run: |
        wget -q https://github.com/sharkdp/hyperfine/releases/download/v1.18.0/hyperfine_1.18.0_amd64.deb
        sudo dpkg -i hyperfine_1.18.0_amd64.deb

-    - name: Install dependencies
-      run: pnpm install
-      timeout-minutes: 5
-
    - name: Compile
      run: pnpm run compile

--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,12 +19,7 @@ jobs:
    - name: Checkout Commit
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    - name: Install pnpm
-      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093
-      with:
-        standalone: true
-    - name: pnpm install
-      run: pn install
-      timeout-minutes: 3
+      uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
    - name: Compile TypeScript
      run: pn compile-only
    - name: Lint
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,15 +22,10 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Install pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093
+      - name: Install pnpm and Node
+        uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
        with:
-          standalone: true
-      - name: Setup Node
-        run: pn runtime -g set node 26.0.0
-        timeout-minutes: 2
-      - name: pnpm install
-        run: pn install
+          runtime: node@26.0.0
      # The publish phase is split into three sequential steps to control which packages
      # use trusted publishing (OIDC) vs. a static token. `pnpm publish` currently bails
      # out of OIDC as soon as a static `_authToken` is configured, so the only way to
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -30,19 +30,10 @@ jobs:
        git config --global user.email "x@y.z"
    - name: Checkout Commit
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-    - name: Install pnpm
-      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093
+    - name: Install pnpm and Node
+      uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
      with:
-        standalone: true
-    - name: Setup Node
-      run: pn runtime -g set node ${{ inputs.node }}
-      timeout-minutes: 2
-    # npm is needed for preparing git-hosted dependencies (e.g. in dlx tests)
-    - name: Verify npm
-      run: npm --version
-    - name: pnpm install
-      run: pn install --no-runtime
-      timeout-minutes: 3
+        runtime: node@${{ inputs.node }}
    - name: Verify Node version
      shell: bash
      run: |
@@ -52,6 +43,11 @@ jobs:
          echo "Expected Node version $expected but got $actual"
          exit 1
        fi
+    # npm is needed for preparing git-hosted dependencies (e.g. in dlx tests).
+    # `pnpm runtime set node` does not extract npm; the runner image's
+    # pre-installed Node toolchain provides it on PATH.
+    - name: Verify npm
+      run: npm --version
    - name: Download compiled artifacts
      uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
      with:
--- a/.github/workflows/update-lockfile.yml
+++ b/.github/workflows/update-lockfile.yml
@@ -19,14 +19,12 @@ jobs:
      with:
        token: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}

+    # The job deletes the lockfile and regenerates it with `--lockfile-only`,
+    # so skip the action's auto-install — it would just be wasted work.
    - name: Install pnpm
-      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093
+      uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
      with:
-        standalone: true
-
-    - name: Setup Node
-      run: pnpm runtime -g set node 24.6.0
-      timeout-minutes: 2
+        install: false

    - name: Update lockfile
      run: |