feat!: replace bundled pnpm binary with npm + lockfile bootstrap (#212)

* feat!: replace bundled pnpm binary with npm + lockfile bootstrap

Remove the 9MB bundled pnpm.cjs/worker.js and instead use npm ci with
committed package-lock.json files (~5KB) to install a bootstrap pnpm,
which then installs the target version with integrity verification via
the project's pnpm-lock.yaml.

Also switch from ncc to esbuild and modernize to ESM.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: bundle as CJS to support @actions/* packages

The @actions/* packages use CJS require() for Node.js builtins,
which fails with "Dynamic require of 'os' is not supported" when
bundled as ESM. Switch esbuild output to CJS format.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: remove "type": "module" from package.json

Node.js treats dist/index.js as ESM due to "type": "module",
but the bundle uses CJS require() calls. Remove the field so
Node.js defaults to CJS for .js files.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: remove packageManager field and fix Windows npm spawn

- Remove packageManager from package.json to avoid version conflict
  when the action tests against itself (uses: ./)
- Use shell: true on Windows so spawn can find npm.cmd

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: always use pnpm (not @pnpm/exe) for bootstrap and update lockfile

The bootstrap only needs regular pnpm to install the target package.
@pnpm/exe requires install scripts which we skip with --ignore-scripts.
Also regenerate pnpm-lock.yaml to match current package.json.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: use --no-lockfile for target install

--lockfile-dir pointing to GITHUB_WORKSPACE causes the bootstrap pnpm
to use the project's pnpm-lock.yaml (which tracks project deps, not
pnpm itself), corrupting the install. Revert to --no-lockfile for now.
Lockfile-based integrity verification can be added when pnpm v11 has
proper support for verifying the pnpm package itself.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: run bootstrap pnpm via node instead of bin shim

Use `node .../pnpm/bin/pnpm.cjs` to run the bootstrap pnpm, matching
the approach used by the old bundled pnpm.cjs. This avoids issues with
the .bin symlink on different platforms.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: use pnpm self-update instead of installing target separately

- Bootstrap pnpm via npm ci (verified by lockfile)
- Use `pnpm self-update <version>` for explicit version
- Let pnpm handle packageManager field automatically
- Remove standalone/exe-specific install logic (pnpm handles this)
- Update tests to not run pnpm install against the action repo itself

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: support standalone mode with @pnpm/exe bootstrap

- When standalone=true, bootstrap with @pnpm/exe via npm ci
- When standalone=false, bootstrap with pnpm via npm ci
- Both use pnpm self-update to reach the target version
- Remove --ignore-scripts from npm ci so @pnpm/exe install scripts run
- Add standalone test back to CI

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* debug: add logging to diagnose pnpm not found on PATH

Log .bin directory contents after npm ci to understand why
pnpm binary is not found in subsequent CI steps.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: ensure pnpm bin link exists after npm ci

npm ci sometimes doesn't create the .bin/pnpm symlink for
@pnpm/exe (observed on Linux CI). Manually create the symlink
if it's missing after npm ci completes.

This fixes the case where standalone=true with no explicit version
(relying on packageManager field) — pnpm self-update wouldn't run,
leaving .bin empty and pnpm not found on PATH.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add PNPM_HOME/bin to PATH for pnpm v11

pnpm v11 moved global binaries from PNPM_HOME to PNPM_HOME/bin.
Add the new bin subdirectory to PATH so that pnpm's global bin
directory check passes. This is backwards compatible — the extra
PATH entry is harmless for older pnpm versions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add packages field to pnpm-workspace.yaml

pnpm v9 requires the packages field in pnpm-workspace.yaml.
Without it, `pnpm --version` fails with "packages field missing or empty".

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix pnpm-workspace.yaml

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

src/install-pnpm/bootstrap/exe-lock.json

@@ -0,0 +1,147 @@
+{
+  "name": "bootstrap-exe",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "dependencies": {
+        "@pnpm/exe": "10.32.1"
+      }
+    },
+    "node_modules/@pnpm/exe": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/exe/-/exe-10.32.1.tgz",
+      "integrity": "sha512-baEtwHeZwmZAdBuuDDL6tbdGg5KpxhPxr3QFfYTGXvY6ws+Z1bN0mQ7ZjcaXBSC1HuLpVXnZ6NsBiaZ2DMv4vg==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "bin": {
+        "pnpm": "pnpm"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      },
+      "optionalDependencies": {
+        "@pnpm/linux-arm64": "10.32.1",
+        "@pnpm/linux-x64": "10.32.1",
+        "@pnpm/macos-arm64": "10.32.1",
+        "@pnpm/macos-x64": "10.32.1",
+        "@pnpm/win-arm64": "10.32.1",
+        "@pnpm/win-x64": "10.32.1"
+      }
+    },
+    "node_modules/@pnpm/linux-arm64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-arm64/-/linux-arm64-10.32.1.tgz",
+      "integrity": "sha512-6uB0B+XvunQwHGzIMk2JCkl4Ur6BtM4XbJSwB/mgpWmXDoX/KTJmgx2lodcTjgJSGSySCHfIVuTR9sj/F2D4EA==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "bin": {
+        "pnpm": "pnpm"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/linux-x64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-x64/-/linux-x64-10.32.1.tgz",
+      "integrity": "sha512-AM2tv23Fg7h+nV+adqA/SkZKUysSIEetHfBwYFl8ArgdgkqbGoQy0rAOdKYQBb920CqfexXfI8OA8kPCzRxYng==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "bin": {
+        "pnpm": "pnpm"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/macos-arm64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-arm64/-/macos-arm64-10.32.1.tgz",
+      "integrity": "sha512-Zr4JkhRbtGVsYgbuGZO0dq/6FPOn072Pdo0ubmqWtc14cUATKgAJD7efG03yqr3MLgtwFHgdtUzZ1WsaYAtUTA==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "bin": {
+        "pnpm": "pnpm"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/macos-x64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-x64/-/macos-x64-10.32.1.tgz",
+      "integrity": "sha512-Yk6q3oFDu//OniXJxfTSHo+aew1LX81FcbzJAtEkcCeTQ0SLbQT6J3QiOMNikp8n8IjNhsy+bn2bdkUxaw+akA==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "bin": {
+        "pnpm": "pnpm"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/win-arm64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-arm64/-/win-arm64-10.32.1.tgz",
+      "integrity": "sha512-P8rsP5IUetpYjr2iwggoswL2qUukYrJoToXWuMyo8immn58CsYxaXsHVQ1Oq1R3XMfmGGWTXLsiJuQ7H991MRg==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "bin": {
+        "pnpm": "pnpm.exe"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/win-x64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-x64/-/win-x64-10.32.1.tgz",
+      "integrity": "sha512-i24GwbtBO8ojrhp8WWimX7NgZs0UKH1171oRt6qcRL+a+FxE0Eggv2y0KP7ZI7F3+LZMarwr3tnYsZryfciUOg==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "bin": {
+        "pnpm": "pnpm.exe"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    }
+  }
+}

src/install-pnpm/bootstrap/pnpm-lock.json

@@ -0,0 +1,28 @@
+{
+  "name": "bootstrap-pnpm",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "dependencies": {
+        "pnpm": "latest"
+      }
+    },
+    "node_modules/pnpm": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-10.32.1.tgz",
+      "integrity": "sha512-pwaTjw6JrBRWtlY+q07fHR+vM2jRGR/FxZeQ6W3JGORFarLmfWE94QQ9LoyB+HMD5rQNT/7KnfFe8a1Wc0jyvg==",
+      "license": "MIT",
+      "bin": {
+        "pnpm": "bin/pnpm.cjs",
+        "pnpx": "bin/pnpx.cjs"
+      },
+      "engines": {
+        "node": ">=18.12"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    }
+  }
+}

src/install-pnpm/run.ts

@@ -1,63 +1,76 @@
 import { addPath, exportVariable } from '@actions/core'
 import { spawn } from 'child_process'
-import { rm, writeFile, mkdir, copyFile } from 'fs/promises'
-import { readFileSync } from 'fs'
+import { rm, writeFile, mkdir, symlink } from 'fs/promises'
+import { readFileSync, existsSync } from 'fs'
 import path from 'path'
-import { execPath } from 'process'
 import util from 'util'
 import { Inputs } from '../inputs'
 import { parse as parseYaml } from 'yaml'
+import pnpmLock from './bootstrap/pnpm-lock.json'
+import exeLock from './bootstrap/exe-lock.json'
+
+const BOOTSTRAP_PNPM_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { pnpm: pnpmLock.packages['node_modules/pnpm'].version } })
+const BOOTSTRAP_EXE_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { '@pnpm/exe': exeLock.packages['node_modules/@pnpm/exe'].version } })
 
 export async function runSelfInstaller(inputs: Inputs): Promise<number> {
   const { version, dest, packageJsonFile, standalone } = inputs
-  const { GITHUB_WORKSPACE } = process.env
 
-  // prepare self install
+  // Install bootstrap pnpm via npm (integrity verified by committed lockfile)
   await rm(dest, { recursive: true, force: true })
-  // create dest directory after removal
   await mkdir(dest, { recursive: true })
-  const pkgJson = path.join(dest, 'package.json')
-  // we have ensured the dest directory exists, we can write the file directly
-  await writeFile(pkgJson, JSON.stringify({ private: true }))
 
-  // copy .npmrc if it exists to install from custom registry
-  if (GITHUB_WORKSPACE) {
-    try {
-      await copyFile(path.join(GITHUB_WORKSPACE, '.npmrc'), path.join(dest, '.npmrc'))
-    } catch (error) {
-      // Swallow error if .npmrc doesn't exist
-      if (!util.types.isNativeError(error) || !('code' in error) || error.code !== 'ENOENT') throw error
+  const lockfile = standalone ? exeLock : pnpmLock
+  const packageJson = standalone ? BOOTSTRAP_EXE_PACKAGE_JSON : BOOTSTRAP_PNPM_PACKAGE_JSON
+  await writeFile(path.join(dest, 'package.json'), packageJson)
+  await writeFile(path.join(dest, 'package-lock.json'), JSON.stringify(lockfile))
+
+  const npmExitCode = await runCommand('npm', ['ci'], { cwd: dest })
+  if (npmExitCode !== 0) {
+    return npmExitCode
+  }
+
+  const pnpmHome = path.join(dest, 'node_modules', '.bin')
+  addPath(pnpmHome)
+  addPath(path.join(pnpmHome, 'bin'))
+  exportVariable('PNPM_HOME', pnpmHome)
+
+  // Ensure pnpm bin link exists — npm ci sometimes doesn't create it
+  const pnpmBinLink = path.join(pnpmHome, 'pnpm')
+  if (!existsSync(pnpmBinLink)) {
+    await mkdir(pnpmHome, { recursive: true })
+    const target = standalone
+      ? path.join('..', '@pnpm', 'exe', 'pnpm')
+      : path.join('..', 'pnpm', 'bin', 'pnpm.cjs')
+    await symlink(target, pnpmBinLink)
+  }
+
+  const bootstrapPnpm = standalone
+    ? path.join(dest, 'node_modules', '@pnpm', 'exe', 'pnpm')
+    : path.join(dest, 'node_modules', 'pnpm', 'bin', 'pnpm.cjs')
+
+  // Determine the target version
+  const targetVersion = readTargetVersion({ version, packageJsonFile })
+
+  if (targetVersion) {
+    const cmd = standalone ? bootstrapPnpm : process.execPath
+    const args = standalone ? ['self-update', targetVersion] : [bootstrapPnpm, 'self-update', targetVersion]
+    const exitCode = await runCommand(cmd, args, { cwd: dest })
+    if (exitCode !== 0) {
+      return exitCode
     }
   }
 
-  // prepare target pnpm
-  const target = await readTarget({ version, packageJsonFile, standalone })
-  const cp = spawn(execPath, [path.join(__dirname, 'pnpm.cjs'), 'install', target, '--no-lockfile'], {
-    cwd: dest,
-    stdio: ['pipe', 'inherit', 'inherit'],
-  })
-
-  const exitCode = await new Promise<number>((resolve, reject) => {
-    cp.on('error', reject)
-    cp.on('close', resolve)
-  })
-  if (exitCode === 0) {
-    const pnpmHome = path.join(dest, 'node_modules/.bin')
-    addPath(pnpmHome)
-    exportVariable('PNPM_HOME', pnpmHome)
-  }
-  return exitCode
+  return 0
 }
 
-async function readTarget(opts: {
+function readTargetVersion(opts: {
   readonly version?: string | undefined
   readonly packageJsonFile: string
-  readonly standalone: boolean
-}) {
-  const { version, packageJsonFile, standalone } = opts
+}): string | undefined {
+  const { version, packageJsonFile } = opts
   const { GITHUB_WORKSPACE } = process.env
 
-  let packageManager
+  let packageManager: unknown
 
   if (GITHUB_WORKSPACE) {
     try {
@@ -84,7 +97,12 @@ async function readTarget(opts: {
 Remove one of these versions to avoid version mismatch errors like ERR_PNPM_BAD_PM_VERSION`)
     }
 
-    return `${ standalone ? '@pnpm/exe' : 'pnpm' }@${version}`
+    return version
+  }
+
+  if (typeof packageManager === 'string' && packageManager.startsWith('pnpm@')) {
+    // pnpm will handle version management via packageManager field
+    return undefined
   }
 
   if (!GITHUB_WORKSPACE) {
@@ -94,22 +112,22 @@ please run the actions/checkout before pnpm/action-setup.
 Otherwise, please specify the pnpm version in the action configuration.`)
   }
 
-  if (typeof packageManager !== 'string') {
-    throw new Error(`No pnpm version is specified.
+  throw new Error(`No pnpm version is specified.
 Please specify it by one of the following ways:
   - in the GitHub Action config with the key "version"
   - in the package.json with the key "packageManager"`)
-  }
+}
 
-  if (!packageManager.startsWith('pnpm@')) {
-    throw new Error('Invalid packageManager field in package.json')
-  }
-
-  if (standalone) {
-    return packageManager.replace('pnpm@', '@pnpm/exe@')
-  }
-
-  return packageManager
+function runCommand(cmd: string, args: string[], opts: { cwd: string }): Promise<number> {
+  return new Promise<number>((resolve, reject) => {
+    const cp = spawn(cmd, args, {
+      cwd: opts.cwd,
+      stdio: ['pipe', 'inherit', 'inherit'],
+      shell: process.platform === 'win32',
+    })
+    cp.on('error', reject)
+    cp.on('close', resolve)
+  })
 }
 
 export default runSelfInstaller