mirror of
https://github.com/pnpm/pnpm.git
synced 2026-06-29 10:25:05 -04:00
e72b482b6f975172c8eef813261c61ba061fc3fe
4 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
dependabot[bot]
|
8cec791e38 |
chore(deps): bump the github-actions group across 1 directory with 4 updates (#12356)
Bumps the github-actions group with 4 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [github/codeql-action](https://github.com/github/codeql-action), [taiki-e/install-action](https://github.com/taiki-e/install-action) and [crate-ci/typos](https://github.com/crate-ci/typos). Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits]( |
||
|
dependabot[bot]
|
04473e027c |
chore(deps): bump the github-actions group across 1 directory with 10 updates (#12220)
Bumps the github-actions group with 10 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github/codeql-action](https://github.com/github/codeql-action) | `4.35.5` | `4.36.0` | | [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) | `4.0.0` | `4.1.0` | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `4.0.0` | `4.1.0` | | [docker/login-action](https://github.com/docker/login-action) | `4.1.0` | `4.2.0` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `7.1.0` | `7.2.0` | | [taiki-e/install-action](https://github.com/taiki-e/install-action) | `2.78.1` | `2.79.14` | | [crate-ci/typos](https://github.com/crate-ci/typos) | `1.46.1` | `1.47.0` | | [codecov/codecov-action](https://github.com/codecov/codecov-action) | `6.0.0` | `6.0.1` | | [cbrgm/mastodon-github-action](https://github.com/cbrgm/mastodon-github-action) | `2.2.0` | `2.2.1` | | [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) | `0.5.5` | `0.5.6` | Updates `github/codeql-action` from 4.35.5 to 4.36.0 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits]( |
||
|
Zoltan Kochan
|
6b2a955a15 |
ci: address zizmor findings across workflows (#11608)
Resolves all 30 zizmor alerts reported on main after #11607: - template-injection (19): move `${{ ... }}` interpolations in `run:` blocks to `env:` so untrusted-ish values (workflow_dispatch inputs, github.ref_name, github.actor) can't break out of shell quoting. - artipacked (8): add `persist-credentials: false` to `actions/checkout` in audit, benchmark, ci, codeql-analysis, docker, release, test workflows. `update-lockfile.yml` keeps the persisted token (later step pushes to a branch) with a `zizmor: ignore[artipacked]` comment and justification. - dependabot-cooldown (1): add a 7-day cooldown so brand-new (potentially malicious) Actions releases don't get auto-PR'd day-of-release. - ref-version-mismatch (1): `bluwy/release-for-reddit-action` SHA pointed at the `v2` tag, not a non-existent `v2.0.0`. Fix the comment. - superfluous-actions (1): mark `softprops/action-gh-release` with a `zizmor: ignore` and justification — the release pipeline is sensitive and the action is battle-tested; we're not swapping it for `gh release` here. Verified locally with `zizmor --persona regular .github` (online audits on): No findings to report. Good job! (2 ignored, 32 suppressed) --- Written by an agent (Claude Code, claude-opus-4-7). |
||
|
Zoltan Kochan
|
9ae1ca7253 |
feat: publish base docker image to GHCR (#11302)
* feat: publish base docker image to GHCR Adds a Dockerfile (debian:stable-slim + pnpm standalone binary) and a release-triggered workflow that builds multi-arch images and pushes to ghcr.io/pnpm/pnpm. Users who need Node.js can install it inside the container via `pnpm runtime set node <version>`. Refs #11300 * docs: add docker/README.md * chore(cspell): add buildx to dictionary * docs: mention devEngines.runtime as alternative to pnpm runtime set * fix(docker): pin base image, verify tarball sha256, harden download - Pin `debian:stable-slim` to a digest for reproducibility. - Compute pnpm tarball SHA256 in the workflow and verify it inside the build, detecting tampered artifacts regardless of what `pnpm --version` reports. - Download the tarball to disk with `--retry` instead of `curl | tar` for resilience under multi-arch QEMU builds. - README: use `--load` so the local test image is available to `docker run`. * chore(cspell): sort dictionary additions * fix(docker): address Copilot review feedback - Include $PNPM_HOME/bin on PATH so pnpm-installed globals (node, etc.) are discoverable, and make $PNPM_HOME writable for non-root users. - Document that `pnpm runtime set node` needs `-g` to install globally. - Pass workflow inputs via env: instead of inlining GitHub expressions into shell, and validate the version string before use. * fix(docker): install libatomic1 for pnpm standalone binary The pnpm linux standalone binary dynamically links against libatomic.so.1, which is not present in debian:stable-slim by default. Without it, `pnpm --version` fails during the build with: pnpm: error while loading shared libraries: libatomic.so.1: cannot open shared object file: No such file or directory Caught by local build testing. |