mirror/pnpm
1
0
Fork 0
mirror of https://github.com/pnpm/pnpm.git synced 2026-05-13 02:55:56 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
dcc171a948aa0eb00a84d1007782d3e8d48ebf13
pnpm/.github/workflows/update-lockfile.yml
Zoltan Kochan dcc171a948 chore(ci): migrate workflows to pnpm/setup (#11589) 
## Summary

Migrates CI workflows from `pnpm/action-setup` + manual `pn runtime set node …` + `pn install` to the new combined `pnpm/setup` action (see https://github.com/pnpm/setup/pull/1).

`pnpm/setup` installs pnpm and the JS runtime in one step. It also runs `pnpm install` automatically when a `package.json` is present, so per-workflow install steps are dropped. When the `runtime` input is set, the action passes `--no-runtime` to `pnpm install` so the matrix-selected Node version isn't shadowed by a different `devEngines.runtime` pin.

## What changed

| Workflow | Migration |
|---|---|
| `test.yml` | `pnpm/setup` with `runtime: node@${{ inputs.node }}`. Verify-Node step asserts the matrix version stayed active. Verify-npm step retained as canary (npm comes from the runner image, not the pnpm-installed runtime). |
| `ci.yml` | `pnpm/setup` (no `runtime` input — `devEngines.runtime` in package.json handles the Node pin). |
| `release.yml` | `pnpm/setup` with `runtime: node@26.0.0`. |
| `benchmark.yml` | `pnpm/setup` with `runtime: node@26.0.0`. |
| `audit.yml` | `pnpm/setup` with `install: false` — audit only needs pnpm itself, not `node_modules`. |
| `update-lockfile.yml` | `pnpm/setup` with `install: false` — the job deletes `pnpm-lock.yaml` and regenerates it via `--lockfile-only`, so the action's auto-install would be wasted. |
| `update-latest.yml` | Untouched — it only uses npm, no pnpm setup needed. |

## Caveats / things to watch

- **npm availability.** `pnpm runtime set node` does not extract npm. The runner image's pre-installed Node toolchain provides `npm` on PATH; if a future runner image change removes that, dlx-style git-hosted dependency tests in `test.yml` will fail. The `Verify npm` step in `test.yml` is the canary.

## Related upstream change

- [pnpm/setup#3](https://github.com/pnpm/setup/pull/3) — added the `install` input so callers like `audit.yml` and `update-lockfile.yml` can opt out of the action's auto-install.
2026-05-12 19:31:54 +02:00

83 lines
2.5 KiB
YAML
Raw Blame History

name: Update Lockfile
on:
schedule:
- cron: '0 6 * * *' # Daily at 6 AM UTC
workflow_dispatch: {} # Allow manual triggering
permissions:
contents: write
pull-requests: write
jobs:
update-lockfile:
if: github.repository == 'pnpm/pnpm' # Only run on the main repository, not forks
runs-on: ubuntu-latest
steps:
- name: Checkout Commit
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
token: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}
# The job deletes the lockfile and regenerates it with `--lockfile-only`,
# so skip the action's auto-install — it would just be wasted work.
- name: Install pnpm
uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
with:
install: false
- name: Update lockfile
run: |
rm pnpm-lock.yaml
pnpm install --lockfile-only
timeout-minutes: 5
- name: Check for changes
id: changes
run: |
if git diff --quiet pnpm-lock.yaml; then
echo "changed=false" >> $GITHUB_OUTPUT
else
echo "changed=true" >> $GITHUB_OUTPUT
fi
- name: Create or update PR
if: steps.changes.outputs.changed == 'true'
env:
GH_TOKEN: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
BRANCH="chore/update-lockfile"
# Check if branch exists on remote
if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
git fetch origin "$BRANCH"
git checkout "$BRANCH"
git reset --hard origin/main
else
git checkout -b "$BRANCH"
fi
# Re-apply the lockfile update on the branch
rm pnpm-lock.yaml
pnpm install --lockfile-only
git add pnpm-lock.yaml
git commit -m "chore: update pnpm-lock.yaml"
git push -f origin "$BRANCH"
# Check if PR already exists
if gh pr list --head "$BRANCH" --state open | grep -q "$BRANCH"; then
echo "PR already exists, it has been updated"
else
gh pr create \
--title "chore: update pnpm-lock.yaml" \
--body "This PR updates the lockfile to pick up the latest compatible versions of dependencies.
This is an automated PR created by the update-lockfile workflow." \
--base main \
--head "$BRANCH"
fi
Reference in New Issue View Git Blame Copy Permalink