mirror of
https://github.com/pnpm/pnpm.git
synced 2026-07-14 09:42:37 -04:00
Merge the three release flows (TypeScript, Rust CLI + @pnpm/napi, pnpr) into a single flow driven by pnpm's native workspace versioning (pnpm/pnpm#12953), dropping the @changesets/cli dependency (Closes pnpm/pnpm#12947). The native engine keys package identity on the workspace directory, so the Rust CLI wrapper is named pnpm (the v12 line at pnpm/npm/pnpm) and shares the published name with the TypeScript CLI at pnpm11/pnpm. Release configuration moves from .changeset/config.json to the versioning key of pnpm-workspace.yaml: versioning.lanes puts the Rust CLI, @pnpm/napi, and @pnpm/pnpr on an alpha lane (X.Y.Z-alpha.N prereleases published under next) while the TypeScript CLI releases stable on the main lane; versioning.fixed keeps the Rust CLI and @pnpm/napi at one shared version; versioning.ignore freezes @pnpm/logger, which is consumed as a catalog: peer the engine would otherwise reject as an internal range. Lanes replace the hand-rolled prerelease continuation, and the committed .changeset/ledger.yaml replaces the .changeset-released directory as the cherry-pick-safe record of consumed intents. bump.ts drops both and is now just pnpm version -r plus syncRustVersions, which mirrors the bumped wrapper versions into defaults.rs and the pnpr crate version. Because two workspace projects are named pnpm, name-based --filter=pnpm is qualified by directory (pnpm{pnpm11/pnpm}) across the build and release scripts, the meta-updater excludes the Rust wrappers by directory, and changesets targeting the TypeScript CLI reference it as ./pnpm11/pnpm. release.yml's plan job gates per-product publish jobs on which committed versions are unpublished; everything publishes via trusted publishing. @changesets/cli, .changeset/config.json, and the standalone pacquet/pnpr release workflows are removed; their npm trusted-publisher bindings must be re-pointed at release.yml before the first unified release. pnpm-lock.yaml is regenerated from scratch: an incremental --lockfile-only resolve after the @changesets/cli removal hit a pacquet incremental-resolver bug (pnpm/pnpm#12958) that emptied a peer-context snapshot the CLI depends on and broke the bundle build. A from-scratch resolve is correct; the bug is filed separately.
190 lines
8.1 KiB
YAML
190 lines
8.1 KiB
YAML
name: Create Release PR
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
target:
|
|
description: Branch to release (the PR base; e.g. main or release/11.1).
|
|
default: main
|
|
required: true
|
|
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
|
|
# Serialize per target so two dispatches for the same branch can't race on the
|
|
# force-pushed release-pr/<target> branch.
|
|
concurrency:
|
|
group: create-release-pr-${{ github.event.inputs.target }}
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
create-release-pr:
|
|
if: github.repository == 'pnpm/pnpm' # Only run on the main repository, not forks
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
# Don't persist the write-scoped token in .git/config; the install below
|
|
# runs third-party lifecycle scripts. Pushing is done with an explicit,
|
|
# single-use remote URL in the "Commit and push" step.
|
|
persist-credentials: false
|
|
|
|
- name: Install pnpm and Node
|
|
uses: pnpm/setup@77cf06832101b3ac8c65caaf76a21643936d07a4
|
|
with:
|
|
runtime: node@26.3.0
|
|
|
|
# Base the release on the tip of the target branch, fetched explicitly so the
|
|
# run is correct even when dispatched from another ref. A force-push to
|
|
# release-pr/<target> reuses an already-open release PR for the same target
|
|
# rather than opening a second.
|
|
- name: Prepare release branch
|
|
env:
|
|
TARGET: ${{ github.event.inputs.target }}
|
|
run: |
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "github-actions[bot]@users.noreply.github.com"
|
|
git fetch origin "$TARGET"
|
|
git checkout -B "release-pr/$TARGET" FETCH_HEAD
|
|
|
|
# Refresh the npm registry signing keys embedded in
|
|
# @pnpm/deps.security.signatures from what npm advertises. pnpm verifies
|
|
# package-manager binaries (pacquet, the version-switch pnpm) against these
|
|
# keys, so a stale set could break verification after a key rotation. Any
|
|
# drift is committed below along with the version bumps, so the new trust
|
|
# roots are reviewed as part of the release PR diff.
|
|
- name: Update embedded npm signing keys
|
|
run: node pnpm11/deps/security/signatures/scripts/update-npm-signing-keys.mjs --update
|
|
|
|
# Refresh the embedded Node.js release keys (used to verify the signature of
|
|
# a downloaded runtime's SHASUMS256.txt) from the canonical
|
|
# nodejs/release-keys list, so a new release signer cannot break Node.js
|
|
# runtime verification. Reviewed in the release PR diff like the npm keys.
|
|
- name: Update embedded Node.js release keys
|
|
run: node pnpm11/crypto/shasums-file/scripts/update-node-release-keys.mjs --update
|
|
|
|
# A refreshed trust root must show up in the changelogs, so synthesize a
|
|
# changeset for whichever key sets drifted before `pnpm bump` consumes the
|
|
# pending changesets. The `drifted` output drives an explicit review signal
|
|
# on the PR, so a trust-root change cannot hide in a large version-bump diff.
|
|
- name: Add changesets for refreshed keys
|
|
id: keys
|
|
run: |
|
|
drifted=""
|
|
if ! git diff --quiet -- pnpm11/deps/security/signatures/src/npmSigningKeys.ts; then
|
|
drifted="npm registry signing keys"
|
|
cat > .changeset/release-refresh-npm-signing-keys.md <<'EOF'
|
|
---
|
|
"@pnpm/deps.security.signatures": patch
|
|
"pnpm": patch
|
|
---
|
|
|
|
Updated the embedded npm registry signing keys to the set currently advertised by npm.
|
|
EOF
|
|
fi
|
|
if ! git diff --quiet -- pnpm11/crypto/shasums-file/src/nodeReleaseKeys.ts; then
|
|
drifted="${drifted:+$drifted and }Node.js release keys"
|
|
cat > .changeset/release-refresh-node-release-keys.md <<'EOF'
|
|
---
|
|
"@pnpm/crypto.shasums-file": patch
|
|
"pnpm": patch
|
|
---
|
|
|
|
Updated the embedded Node.js release keys to the current canonical `nodejs/release-keys` list.
|
|
EOF
|
|
fi
|
|
echo "drifted=$drifted" >> "$GITHUB_OUTPUT"
|
|
|
|
# Consumes the pending changesets: bumps versions, writes changelogs, updates
|
|
# the ledger, and syncs manifests. A no-op (no pending changesets) leaves the
|
|
# tree clean and the steps below skip.
|
|
- name: Bump versions
|
|
run: pnpm bump
|
|
|
|
- name: Check for changes
|
|
id: changes
|
|
run: |
|
|
if [ -z "$(git status --porcelain)" ]; then
|
|
echo "changed=false" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "changed=true" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
# One release PR covers every product; the commit subject lists the ones
|
|
# whose version actually changed against the target branch, e.g.
|
|
# "chore(release): 11.13.0, pacquet 12.0.0-alpha.9, pnpr 0.2.0". When only
|
|
# the TypeScript CLI bumped, the subject stays the historical bare version.
|
|
# `@pnpm/napi` is not listed separately: it is a versioning.fixed group with
|
|
# pacquet, so it always carries pacquet's version.
|
|
- name: Compose release summary
|
|
id: version
|
|
if: steps.changes.outputs.changed == 'true'
|
|
run: |
|
|
summary=""
|
|
add() {
|
|
local label="$1" manifest="$2" new old
|
|
new=$(jq -r .version "$manifest")
|
|
old=$(git show "FETCH_HEAD:$manifest" 2>/dev/null | jq -r .version || echo "")
|
|
if [ "$new" != "$old" ]; then
|
|
summary="${summary:+$summary, }${label:+$label }$new"
|
|
fi
|
|
}
|
|
add "" pnpm11/pnpm/package.json
|
|
add "pacquet" pnpm/npm/pnpm/package.json
|
|
add "pnpr" pnpr/npm/pnpr/package.json
|
|
# Changes without a version bump (e.g. refreshed trust-root changesets
|
|
# consumed into changelogs only) still need a commit subject.
|
|
if [ -z "$summary" ]; then
|
|
summary=$(jq -r .version pnpm11/pnpm/package.json)
|
|
fi
|
|
echo "version=$summary" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Commit and push
|
|
if: steps.changes.outputs.changed == 'true'
|
|
env:
|
|
GH_TOKEN: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}
|
|
TARGET: ${{ github.event.inputs.target }}
|
|
VERSION: ${{ steps.version.outputs.version }}
|
|
run: |
|
|
git add -A
|
|
git commit -m "chore(release): ${VERSION}"
|
|
git push -f "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "release-pr/$TARGET"
|
|
|
|
- name: Create PR if needed
|
|
if: steps.changes.outputs.changed == 'true'
|
|
env:
|
|
GH_TOKEN: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}
|
|
TARGET: ${{ github.event.inputs.target }}
|
|
VERSION: ${{ steps.version.outputs.version }}
|
|
run: |
|
|
BRANCH="release-pr/$TARGET"
|
|
|
|
# An already-open PR now points at the freshly force-pushed branch, so
|
|
# there is nothing more to do.
|
|
if [ -n "$(gh pr list --head "$BRANCH" --state open --json number --jq '.[].number')" ]; then
|
|
echo "PR already exists; the new versions were force-pushed to it"
|
|
else
|
|
gh pr create \
|
|
--title "chore(release): ${VERSION}" \
|
|
--body "Automated release PR created by the create-release-pr workflow.
|
|
|
|
Releasing \`${TARGET}\`: ${VERSION}. Merging this PR consumes the pending changesets and records them in the committed \`.changeset/ledger.yaml\`. After merging, push the version tag of a released product to run the release workflow." \
|
|
--base "$TARGET" \
|
|
--head "$BRANCH"
|
|
fi
|
|
|
|
# Embedded trust roots changed in this release, so leave a hard-to-miss
|
|
# comment: the refreshed keys need deliberate review, not a scroll-past
|
|
# among the version bumps and changelogs.
|
|
- name: Flag refreshed trust roots on the PR
|
|
if: steps.changes.outputs.changed == 'true' && steps.keys.outputs.drifted != ''
|
|
env:
|
|
GH_TOKEN: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}
|
|
TARGET: ${{ github.event.inputs.target }}
|
|
DRIFTED: ${{ steps.keys.outputs.drifted }}
|
|
run: |
|
|
PR=$(gh pr list --head "release-pr/$TARGET" --state open --json number --jq '.[0].number')
|
|
gh pr comment "$PR" --body "⚠️ This release refreshes embedded trust roots: **${DRIFTED}**. Review those key diffs deliberately before merging — they gate signature verification of Node.js runtimes and package-manager binaries."
|