Merge the three release flows (TypeScript, Rust CLI + @pnpm/napi, pnpr) into a single flow driven by pnpm's native workspace versioning (pnpm/pnpm#12953), dropping the @changesets/cli dependency (Closes pnpm/pnpm#12947). The native engine keys package identity on the workspace directory, so the Rust CLI wrapper is named pnpm (the v12 line at pnpm/npm/pnpm) and shares the published name with the TypeScript CLI at pnpm11/pnpm. Release configuration moves from .changeset/config.json to the versioning key of pnpm-workspace.yaml: versioning.lanes puts the Rust CLI, @pnpm/napi, and @pnpm/pnpr on an alpha lane (X.Y.Z-alpha.N prereleases published under next) while the TypeScript CLI releases stable on the main lane; versioning.fixed keeps the Rust CLI and @pnpm/napi at one shared version; versioning.ignore freezes @pnpm/logger, which is consumed as a catalog: peer the engine would otherwise reject as an internal range. Lanes replace the hand-rolled prerelease continuation, and the committed .changeset/ledger.yaml replaces the .changeset-released directory as the cherry-pick-safe record of consumed intents. bump.ts drops both and is now just pnpm version -r plus syncRustVersions, which mirrors the bumped wrapper versions into defaults.rs and the pnpr crate version. Because two workspace projects are named pnpm, name-based --filter=pnpm is qualified by directory (pnpm{pnpm11/pnpm}) across the build and release scripts, the meta-updater excludes the Rust wrappers by directory, and changesets targeting the TypeScript CLI reference it as ./pnpm11/pnpm. release.yml's plan job gates per-product publish jobs on which committed versions are unpublished; everything publishes via trusted publishing. @changesets/cli, .changeset/config.json, and the standalone pacquet/pnpr release workflows are removed; their npm trusted-publisher bindings must be re-pointed at release.yml before the first unified release. pnpm-lock.yaml is regenerated from scratch: an incremental --lockfile-only resolve after the @changesets/cli removal hit a pacquet incremental-resolver bug (pnpm/pnpm#12958) that emptied a peer-context snapshot the CLI depends on and broke the bundle build. A from-scratch resolve is correct; the bug is filed separately.
pnpr Docker image
Official image for pnpr, the pnpm-compatible npm registry server,
published to GitHub Container Registry.
ghcr.io/pnpm/pnpr
Based on debian:stable-slim with the standalone pnpr binary (static musl
build, the same artifact published to npm). The container runs as a
non-root pnpr user and listens on port 7677.
Tags
| Tag | Meaning |
|---|---|
<version> |
Exact, immutable (e.g. 0.2.3). Includes prereleases. |
latest |
Most recent stable release. Not updated for prereleases. |
Supported platforms
linux/amd64, linux/arm64.
Usage
docker run --rm -p 7677:7677 \
-v pnpr-storage:/pnpr/storage \
ghcr.io/pnpm/pnpr:latest
The default command binds to 0.0.0.0:7677 and stores published packages in
/pnpr/storage and the disposable upstream mirror in /pnpr/cache (both
declared as volumes). To use a custom config, mount it and point pnpr at it:
docker run --rm -p 7677:7677 \
-v "$PWD/config.yaml:/pnpr/config.yaml:ro" \
-v pnpr-storage:/pnpr/storage \
ghcr.io/pnpm/pnpr:latest --listen 0.0.0.0:7677 --config /pnpr/config.yaml
Then point pnpm at it:
pnpm config set registry http://localhost:7677
Build locally
The build context expects the binary for each target architecture, staged as
pnpr-amd64 / pnpr-arm64. Build one with cross (or cargo for the host
arch) and drop it in:
The build verifies the binary against a SHA256 checksum before trusting it, so pass the checksum for the architecture you're building:
VERSION=0.2.3
cross build -p pnpr --bin pnpr --release --target x86_64-unknown-linux-musl
cp target/x86_64-unknown-linux-musl/release/pnpr pnpr/docker/pnpr-amd64
docker buildx build \
--build-arg PNPR_VERSION=${VERSION} \
--build-arg PNPR_SHA256_AMD64=$(shasum -a 256 pnpr/docker/pnpr-amd64 | awk '{print $1}') \
--platform linux/amd64 \
--load \
-t pnpr-test ./pnpr/docker
docker run --rm pnpr-test --version
Release
Images are built and pushed by the docker-pnpr job in
.github/workflows/release.yml,
which runs after the npm packages are published. The build verifies each
staged binary against the SHA256 checksum pinned by the release job and fails
if pnpr --version in the image doesn't match the PNPR_VERSION build-arg.