mirror of
https://github.com/pnpm/pnpm.git
synced 2026-07-14 09:42:37 -04:00
* feat(release): auto-refresh embedded signing keys in the release PR The create-release-pr workflow previously failed when the embedded npm signing keys or Node.js release keys drifted from their canonical sources, requiring a manual update PR before a release could proceed. Now the workflow runs the update scripts in --update mode and commits the refreshed keys together with the version bumps, so the new trust roots are reviewed as part of the release PR diff. A synthesized changeset records the refresh in the changelogs of the affected packages. Also embeds the Node.js release team's new signing key 655F3B5C1FB3FA8D1A0CA6BDE4A7D232B936D2FD (Stewart X Addison), which the last release run reported as missing, and fixes the Rust renderer in update-node-release-keys.mjs so its output is lint-clean (angle-bracket URL for dylint's bare-url lint, raw-string hashes only when the key contains a quote for clippy's needless_raw_string_hashes) and matches the committed file byte-for-byte on a no-drift run. * fix(release): canonicalize npm key order and flag trust-root refreshes Review follow-ups: sort the merged npm signing keys by keyid so a reordering of npm's response cannot churn the generated file or synthesize a spurious changeset, and leave an explicit warning comment on the release PR whenever embedded trust roots were refreshed, so a key change cannot slip through buried in a large version-bump diff.