mirror/pnpm - pnpm - Gitea: Git with a cup of tea

mirror/pnpm

Fork 0

mirror of https://github.com/pnpm/pnpm.git synced 2026-06-02 13:13:17 -04:00

Commit Graph

Author	SHA1	Message	Date
Zoltan Kochan	d8a79a9c30	feat(registry): add auth/dist-tag/publish endpoints + wire TS tests onto pnpm-registry (#11914 ) Lands the pieces of the npm registry protocol that pnpm-registry was missing, and switches the TypeScript test harness off verdaccio onto pnpm-registry. `@pnpm/registry-mock` (the npm package) is untouched. ### Server-side additions (`registry/crates/pnpm-registry`) - `PUT /-/user/org.couchdb.user:<name>` — adduser / login, returns a Bearer token. In-memory user + token stores. - `PUT /:pkg` — publish (scoped + unscoped). Base64-decodes `_attachments`, merges into the existing packument, writes manifest + tarball atomically. 100 MiB body limit. - `GET /-/package/:pkg/dist-tags` + `PUT/DELETE /-/package/:pkg/dist-tags/:tag` — rewrites the on-disk packument so tag changes survive a restart. - `Authorization: Bearer` and `Authorization: Basic` both identify the caller. - Per-package access policy (wax glob patterns). Defaults mirror `@pnpm/registry-mock`'s `config.yaml`: `@private/` and `@pnpm.e2e/needs-auth` require auth; everything else is anonymous read, authenticated write. Enforced on every packument / version-manifest / tarball GET and every write endpoint. ### TypeScript-test migration - `__utils__/jest-config/with-registry/globalSetup.js` keeps `prepare()` from `@pnpm/registry-mock` (still needed for the tempy storage path written into the runtime-config yaml — `getIntegrity` reads it from there) but spawns `pnpm-registry` instead of verdaccio. `addUser`, `addDistTag`, `getIntegrity`, `REGISTRY_MOCK_` from registry-mock work as-is — they're plain npm-wire-protocol HTTP calls. - Binary lookup follows pacquet's pattern: `PNPM_REGISTRY_BIN` env override, then `target/release/pnpm-registry`, then `target/debug/pnpm-registry`. - CI test job (`.github/workflows/test.yml`) installs the Rust toolchain via the existing `./.github/actions/rustup` composite action and builds `pnpm-registry --release` before tests run. Per-platform — Linux and Windows in the matrix each build their own.	2026-05-25 09:40:09 +02:00
Zoltan Kochan	d2b64b6689	ci(pacquet): fix all zizmor code-scanning findings (#11641 ) * ci(pacquet): fix all zizmor code-scanning findings Resolves the 90 alerts opened by zizmor against the imported pacquet-* workflows and shared composite actions: - unpinned-uses: pin every third-party action to a SHA + version comment (matching SHAs already used elsewhere in the repo where applicable; taiki-e/install-action collapsed onto v2.78.0 with explicit `tool:` input). - artipacked: add `persist-credentials: false` to every actions/checkout. - template-injection: pass `inputs.` and `steps..outputs.` through `env:` in binstall/rustup composite actions and pacquet-release-to-npm.yml. - excessive-permissions: add top-level `permissions: contents: read` to pacquet-release-to-npm.yml; move issues/pull-requests writes from the workflow level to the benchmark-compare job in pacquet-micro-benchmark.yml. - dangerous-triggers: keep workflow_run in pacquet-integrated-benchmark- comment.yml but suppress with a documented zizmor: ignore — the trigger is the recommended pattern for posting comments back to fork PRs. - superfluous-actions: keep softprops/action-gh-release with a zizmor: ignore (matches release.yml). Verified by running `zizmor .github` locally with no remaining findings. ci(pacquet): point SHA pins at the patch-version tag Swatinem/rust-cache and montudor/action-zip were pinned to the SHA the major-version alias (`v2`, `v1`) resolves to, but the version comments claimed `v2.9.1` / `v1.0.0`. zizmor's online `ref-version-mismatch` audit flagged the inconsistency. Repoint at the SHAs the patch-version tags actually annotate so the pin and the comment agree.	2026-05-14 19:33:30 +02:00
Zoltan Kochan	763ddf1c99	chore(pacquet): wire pacquet workflows into monorepo (#11635 ) * chore(pacquet): wire pacquet workflows into monorepo Move Cargo workspace, Rust toolchain configs, justfile, composite actions, and 7 workflow files out of `pacquet/` and up to the repo root so: - cargo / just / taplo run from repo root, the way the rest of the monorepo's tooling does - GitHub Actions actually discovers the workflows (it only reads `.github/workflows/` at the repo root) Workflows are prefixed with `pacquet-` and renamed to "Pacquet ..." so they don't collide with the existing pnpm CI. Path filters are scoped to `pacquet/*` so they don't trigger on every commit. The cargo entry from pacquet's standalone `dependabot.yml` is folded into the root one; pacquet's `CODEOWNERS` and `pull_request_template.md` are dropped because the root copies supersede them. Path rewrites: - `Cargo.toml` workspace members → `pacquet/crates/`, `pacquet/tasks/` - all path-deps in `[workspace.dependencies]` → `pacquet/...` - `justfile` recipes (`install`, `install-hooks`) point at `pacquet/...` - `.taplo.toml` include globs → `pacquet/crates//.toml`, `pacquet/tasks//.toml` - `pacquet/npm/pacquet/scripts/generate-packages.mjs` REPO_ROOT walks one more level up - workflow `paths:` filters, `hashFiles(...)`, and shell paths all updated Verified: `cargo metadata` resolves the workspace, `cargo fmt --check` clean, `taplo format --check` picks up all 26 Cargo.tomls, `actionlint` reports no new issues (the `type:`-on-input warnings on the rustup action predate this move). chore(pacquet): drop pnpm version pin from pacquet CI workflows The monorepo's root `package.json` declares `pnpm@11.1.1` under `packageManager`, which conflicts with the workflows' explicit `version: 11.0.0-rc.5` and trips `pnpm/action-setup` ERR_PNPM_BAD_PM_VERSION. The pin was a pacquet-era workaround for the v9 lockfile while pnpm 11 was still pre-release. Stable 11.x writes v9 too, so let action-setup read the version from `packageManager` like every other workflow in this repo does. * chore(pacquet): use pnpm/setup matching the rest of the monorepo Replaces `pnpm/action-setup@v6` with the same `pnpm/setup@b1cac3...` SHA the rest of pnpm/pnpm uses (release.yml, test.yml, ci.yml, benchmark.yml, audit.yml). Reads pnpm version from `packageManager` in root package.json, and skips the implicit `pnpm install` since pacquet does its own scoped install via `just install` (which only touches `pacquet/tasks/registry-mock/`). The release workflow now also installs Node via the same action (`runtime: node@22`) instead of via `pnpm runtime -g set node 22`, since pnpm/setup handles runtimes in one step. * chore(pacquet): tighten permissions and Dependabot cooldown Address zizmor warnings on the pacquet CI changes: - `dependabot.yml`: the cargo entry I added in the previous commit inherited from pacquet's standalone repo and is missing the `cooldown: default-days: 7` the github-actions entry uses. Add it so cargo and github-actions debounce updates consistently. - `pacquet-ci.yml`, `pacquet-codecov.yml`, `pacquet-cargo-unused.yml` lacked a top-level `permissions:` block, so GITHUB_TOKEN inherited the repo default. Declare `contents: read` — every job in these workflows only reads the repo and runs local checks. The other four pacquet workflows already declare permissions explicitly (integrated-benchmark/comment, micro-benchmark, release). * chore(pacquet): add "reimagining" to cspell dictionary cspell at the repo root scans all `*/README.md` and was rejecting `pacquet/README.md` and `pacquet/npm/pacquet/README.md`, which describe pacquet as "not a reimagining of pnpm." Add the word to the existing allow-list rather than rewording two READMEs imported from a separate repo. fix(pacquet): prefix workspace-relative paths with pacquet/ Two Rust source files looked up paths off the cargo workspace root (\`cargo locate-project --workspace\`), which now resolves to the monorepo root rather than the pacquet directory. Add the \`pacquet/\` prefix: - \`tasks/registry-mock/src/dirs.rs\` — \`registry_mock()\` was pointing the node launcher at \`<repo>/tasks/registry-mock/launch.mjs\` instead of \`<repo>/pacquet/tasks/registry-mock/launch.mjs\`, which failed every Pacquet CI test job ("Cannot find module ...launch.mjs"). - \`tasks/micro-benchmark/src/main.rs\` — same idea for the fixtures folder.	2026-05-14 18:17:45 +02:00

Author

SHA1

Message

Date

Zoltan Kochan

d8a79a9c30

feat(registry): add auth/dist-tag/publish endpoints + wire TS tests onto pnpm-registry (#11914 )

Lands the pieces of the npm registry protocol that pnpm-registry was missing, and switches the TypeScript test harness off verdaccio onto pnpm-registry. `@pnpm/registry-mock` (the npm package) is untouched.

### Server-side additions (`registry/crates/pnpm-registry`)

- `PUT /-/user/org.couchdb.user:<name>` — adduser / login, returns a Bearer token. In-memory user + token stores.
- `PUT /:pkg` — publish (scoped + unscoped). Base64-decodes `_attachments`, merges into the existing packument, writes manifest + tarball atomically. 100 MiB body limit.
- `GET /-/package/:pkg/dist-tags` + `PUT/DELETE /-/package/:pkg/dist-tags/:tag` — rewrites the on-disk packument so tag changes survive a restart.
- `Authorization: Bearer` and `Authorization: Basic` both identify the caller.
- Per-package access policy (wax glob patterns). Defaults mirror `@pnpm/registry-mock`'s `config.yaml`: `@private/*` and `@pnpm.e2e/needs-auth` require auth; everything else is anonymous read, authenticated write. Enforced on every packument / version-manifest / tarball GET and every write endpoint.

### TypeScript-test migration

- `__utils__/jest-config/with-registry/globalSetup.js` keeps `prepare()` from `@pnpm/registry-mock` (still needed for the tempy storage path written into the runtime-config yaml — `getIntegrity` reads it from there) but spawns `pnpm-registry` instead of verdaccio. `addUser`, `addDistTag`, `getIntegrity`, `REGISTRY_MOCK_*` from registry-mock work as-is — they're plain npm-wire-protocol HTTP calls.
- Binary lookup follows pacquet's pattern: `PNPM_REGISTRY_BIN` env override, then `target/release/pnpm-registry`, then `target/debug/pnpm-registry`.
- CI test job (`.github/workflows/test.yml`) installs the Rust toolchain via the existing `./.github/actions/rustup` composite action and builds `pnpm-registry --release` before tests run. Per-platform — Linux and Windows in the matrix each build their own.

2026-05-25 09:40:09 +02:00

Zoltan Kochan

d2b64b6689

ci(pacquet): fix all zizmor code-scanning findings (#11641 )

* ci(pacquet): fix all zizmor code-scanning findings

Resolves the 90 alerts opened by zizmor against the imported pacquet-*
workflows and shared composite actions:

- unpinned-uses: pin every third-party action to a SHA + version comment
  (matching SHAs already used elsewhere in the repo where applicable;
  taiki-e/install-action collapsed onto v2.78.0 with explicit `tool:` input).
- artipacked: add `persist-credentials: false` to every actions/checkout.
- template-injection: pass `inputs.*` and `steps.*.outputs.*` through `env:`
  in binstall/rustup composite actions and pacquet-release-to-npm.yml.
- excessive-permissions: add top-level `permissions: contents: read` to
  pacquet-release-to-npm.yml; move issues/pull-requests writes from the
  workflow level to the benchmark-compare job in pacquet-micro-benchmark.yml.
- dangerous-triggers: keep workflow_run in pacquet-integrated-benchmark-
  comment.yml but suppress with a documented zizmor: ignore — the trigger
  is the recommended pattern for posting comments back to fork PRs.
- superfluous-actions: keep softprops/action-gh-release with a zizmor:
  ignore (matches release.yml).

Verified by running `zizmor .github` locally with no remaining findings.

* ci(pacquet): point SHA pins at the patch-version tag

Swatinem/rust-cache and montudor/action-zip were pinned to the SHA the
major-version alias (`v2`, `v1`) resolves to, but the version comments
claimed `v2.9.1` / `v1.0.0`. zizmor's online `ref-version-mismatch`
audit flagged the inconsistency. Repoint at the SHAs the patch-version
tags actually annotate so the pin and the comment agree.

2026-05-14 19:33:30 +02:00

Zoltan Kochan

763ddf1c99

chore(pacquet): wire pacquet workflows into monorepo (#11635 )

* chore(pacquet): wire pacquet workflows into monorepo

Move Cargo workspace, Rust toolchain configs, justfile, composite actions,
and 7 workflow files out of `pacquet/` and up to the repo root so:

  - cargo / just / taplo run from repo root, the way the rest of the
    monorepo's tooling does
  - GitHub Actions actually discovers the workflows (it only reads
    `.github/workflows/` at the repo root)

Workflows are prefixed with `pacquet-` and renamed to "Pacquet ..." so
they don't collide with the existing pnpm CI. Path filters are scoped
to `pacquet/**` so they don't trigger on every commit. The cargo entry
from pacquet's standalone `dependabot.yml` is folded into the root one;
pacquet's `CODEOWNERS` and `pull_request_template.md` are dropped because
the root copies supersede them.

Path rewrites:
  - `Cargo.toml` workspace members → `pacquet/crates/*`, `pacquet/tasks/*`
  - all path-deps in `[workspace.dependencies]` → `pacquet/...`
  - `justfile` recipes (`install`, `install-hooks`) point at `pacquet/...`
  - `.taplo.toml` include globs → `pacquet/crates/*/*.toml`, `pacquet/tasks/*/*.toml`
  - `pacquet/npm/pacquet/scripts/generate-packages.mjs` REPO_ROOT walks one
    more level up
  - workflow `paths:` filters, `hashFiles(...)`, and shell paths all updated

Verified: `cargo metadata` resolves the workspace, `cargo fmt --check`
clean, `taplo format --check` picks up all 26 Cargo.tomls, `actionlint`
reports no new issues (the `type:`-on-input warnings on the rustup action
predate this move).

* chore(pacquet): drop pnpm version pin from pacquet CI workflows

The monorepo's root `package.json` declares `pnpm@11.1.1` under
`packageManager`, which conflicts with the workflows' explicit
`version: 11.0.0-rc.5` and trips `pnpm/action-setup` ERR_PNPM_BAD_PM_VERSION.

The pin was a pacquet-era workaround for the v9 lockfile while pnpm 11
was still pre-release. Stable 11.x writes v9 too, so let action-setup
read the version from `packageManager` like every other workflow in
this repo does.

* chore(pacquet): use pnpm/setup matching the rest of the monorepo

Replaces `pnpm/action-setup@v6` with the same `pnpm/setup@b1cac3...`
SHA the rest of pnpm/pnpm uses (release.yml, test.yml, ci.yml,
benchmark.yml, audit.yml). Reads pnpm version from `packageManager`
in root package.json, and skips the implicit `pnpm install` since
pacquet does its own scoped install via `just install` (which only
touches `pacquet/tasks/registry-mock/`).

The release workflow now also installs Node via the same action
(`runtime: node@22`) instead of via `pnpm runtime -g set node 22`,
since pnpm/setup handles runtimes in one step.

* chore(pacquet): tighten permissions and Dependabot cooldown

Address zizmor warnings on the pacquet CI changes:

  - `dependabot.yml`: the cargo entry I added in the previous commit
    inherited from pacquet's standalone repo and is missing the
    `cooldown: default-days: 7` the github-actions entry uses. Add it
    so cargo and github-actions debounce updates consistently.

  - `pacquet-ci.yml`, `pacquet-codecov.yml`, `pacquet-cargo-unused.yml`
    lacked a top-level `permissions:` block, so GITHUB_TOKEN inherited
    the repo default. Declare `contents: read` — every job in these
    workflows only reads the repo and runs local checks.

The other four pacquet workflows already declare permissions
explicitly (integrated-benchmark/comment, micro-benchmark, release).

* chore(pacquet): add "reimagining" to cspell dictionary

cspell at the repo root scans all `**/README.md` and was rejecting
`pacquet/README.md` and `pacquet/npm/pacquet/README.md`, which describe
pacquet as "not a reimagining of pnpm." Add the word to the existing
allow-list rather than rewording two READMEs imported from a separate
repo.

* fix(pacquet): prefix workspace-relative paths with pacquet/

Two Rust source files looked up paths off the cargo workspace root
(\`cargo locate-project --workspace\`), which now resolves to the
monorepo root rather than the pacquet directory. Add the \`pacquet/\`
prefix:

  - \`tasks/registry-mock/src/dirs.rs\` — \`registry_mock()\` was
    pointing the node launcher at \`<repo>/tasks/registry-mock/launch.mjs\`
    instead of \`<repo>/pacquet/tasks/registry-mock/launch.mjs\`, which
    failed every Pacquet CI test job ("Cannot find module ...launch.mjs").
  - \`tasks/micro-benchmark/src/main.rs\` — same idea for the
    fixtures folder.

2026-05-14 18:17:45 +02:00

3 Commits