mirror of
https://github.com/pnpm/action-setup.git
synced 2026-04-04 03:10:11 +08:00
feat!: replace bundled pnpm binary with npm + lockfile bootstrap (#212)
* feat!: replace bundled pnpm binary with npm + lockfile bootstrap Remove the 9MB bundled pnpm.cjs/worker.js and instead use npm ci with committed package-lock.json files (~5KB) to install a bootstrap pnpm, which then installs the target version with integrity verification via the project's pnpm-lock.yaml. Also switch from ncc to esbuild and modernize to ESM. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: bundle as CJS to support @actions/* packages The @actions/* packages use CJS require() for Node.js builtins, which fails with "Dynamic require of 'os' is not supported" when bundled as ESM. Switch esbuild output to CJS format. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: remove "type": "module" from package.json Node.js treats dist/index.js as ESM due to "type": "module", but the bundle uses CJS require() calls. Remove the field so Node.js defaults to CJS for .js files. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: remove packageManager field and fix Windows npm spawn - Remove packageManager from package.json to avoid version conflict when the action tests against itself (uses: ./) - Use shell: true on Windows so spawn can find npm.cmd Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: always use pnpm (not @pnpm/exe) for bootstrap and update lockfile The bootstrap only needs regular pnpm to install the target package. @pnpm/exe requires install scripts which we skip with --ignore-scripts. Also regenerate pnpm-lock.yaml to match current package.json. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: use --no-lockfile for target install --lockfile-dir pointing to GITHUB_WORKSPACE causes the bootstrap pnpm to use the project's pnpm-lock.yaml (which tracks project deps, not pnpm itself), corrupting the install. Revert to --no-lockfile for now. Lockfile-based integrity verification can be added when pnpm v11 has proper support for verifying the pnpm package itself. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: run bootstrap pnpm via node instead of bin shim Use `node .../pnpm/bin/pnpm.cjs` to run the bootstrap pnpm, matching the approach used by the old bundled pnpm.cjs. This avoids issues with the .bin symlink on different platforms. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: use pnpm self-update instead of installing target separately - Bootstrap pnpm via npm ci (verified by lockfile) - Use `pnpm self-update <version>` for explicit version - Let pnpm handle packageManager field automatically - Remove standalone/exe-specific install logic (pnpm handles this) - Update tests to not run pnpm install against the action repo itself Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat: support standalone mode with @pnpm/exe bootstrap - When standalone=true, bootstrap with @pnpm/exe via npm ci - When standalone=false, bootstrap with pnpm via npm ci - Both use pnpm self-update to reach the target version - Remove --ignore-scripts from npm ci so @pnpm/exe install scripts run - Add standalone test back to CI Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * debug: add logging to diagnose pnpm not found on PATH Log .bin directory contents after npm ci to understand why pnpm binary is not found in subsequent CI steps. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: ensure pnpm bin link exists after npm ci npm ci sometimes doesn't create the .bin/pnpm symlink for @pnpm/exe (observed on Linux CI). Manually create the symlink if it's missing after npm ci completes. This fixes the case where standalone=true with no explicit version (relying on packageManager field) — pnpm self-update wouldn't run, leaving .bin empty and pnpm not found on PATH. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add PNPM_HOME/bin to PATH for pnpm v11 pnpm v11 moved global binaries from PNPM_HOME to PNPM_HOME/bin. Add the new bin subdirectory to PATH so that pnpm's global bin directory check passes. This is backwards compatible — the extra PATH entry is harmless for older pnpm versions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add packages field to pnpm-workspace.yaml pnpm v9 requires the packages field in pnpm-workspace.yaml. Without it, `pnpm --version` fails with "packages field missing or empty". Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix pnpm-workspace.yaml --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Zoltan Kochan
@@ -1,63 +1,76 @@
|
||||
import { addPath, exportVariable } from '@actions/core'
|
||||
import { spawn } from 'child_process'
|
||||
import { rm, writeFile, mkdir, copyFile } from 'fs/promises'
|
||||
import { readFileSync } from 'fs'
|
||||
import { rm, writeFile, mkdir, symlink } from 'fs/promises'
|
||||
import { readFileSync, existsSync } from 'fs'
|
||||
import path from 'path'
|
||||
import { execPath } from 'process'
|
||||
import util from 'util'
|
||||
import { Inputs } from '../inputs'
|
||||
import { parse as parseYaml } from 'yaml'
|
||||
import pnpmLock from './bootstrap/pnpm-lock.json'
|
||||
import exeLock from './bootstrap/exe-lock.json'
|
||||
|
||||
const BOOTSTRAP_PNPM_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { pnpm: pnpmLock.packages['node_modules/pnpm'].version } })
|
||||
const BOOTSTRAP_EXE_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { '@pnpm/exe': exeLock.packages['node_modules/@pnpm/exe'].version } })
|
||||
|
||||
export async function runSelfInstaller(inputs: Inputs): Promise<number> {
|
||||
const { version, dest, packageJsonFile, standalone } = inputs
|
||||
const { GITHUB_WORKSPACE } = process.env
|
||||
|
||||
// prepare self install
|
||||
// Install bootstrap pnpm via npm (integrity verified by committed lockfile)
|
||||
await rm(dest, { recursive: true, force: true })
|
||||
// create dest directory after removal
|
||||
await mkdir(dest, { recursive: true })
|
||||
const pkgJson = path.join(dest, 'package.json')
|
||||
// we have ensured the dest directory exists, we can write the file directly
|
||||
await writeFile(pkgJson, JSON.stringify({ private: true }))
|
||||
|
||||
// copy .npmrc if it exists to install from custom registry
|
||||
if (GITHUB_WORKSPACE) {
|
||||
try {
|
||||
await copyFile(path.join(GITHUB_WORKSPACE, '.npmrc'), path.join(dest, '.npmrc'))
|
||||
} catch (error) {
|
||||
// Swallow error if .npmrc doesn't exist
|
||||
if (!util.types.isNativeError(error) || !('code' in error) || error.code !== 'ENOENT') throw error
|
||||
const lockfile = standalone ? exeLock : pnpmLock
|
||||
const packageJson = standalone ? BOOTSTRAP_EXE_PACKAGE_JSON : BOOTSTRAP_PNPM_PACKAGE_JSON
|
||||
await writeFile(path.join(dest, 'package.json'), packageJson)
|
||||
await writeFile(path.join(dest, 'package-lock.json'), JSON.stringify(lockfile))
|
||||
|
||||
const npmExitCode = await runCommand('npm', ['ci'], { cwd: dest })
|
||||
if (npmExitCode !== 0) {
|
||||
return npmExitCode
|
||||
}
|
||||
|
||||
const pnpmHome = path.join(dest, 'node_modules', '.bin')
|
||||
addPath(pnpmHome)
|
||||
addPath(path.join(pnpmHome, 'bin'))
|
||||
exportVariable('PNPM_HOME', pnpmHome)
|
||||
|
||||
// Ensure pnpm bin link exists — npm ci sometimes doesn't create it
|
||||
const pnpmBinLink = path.join(pnpmHome, 'pnpm')
|
||||
if (!existsSync(pnpmBinLink)) {
|
||||
await mkdir(pnpmHome, { recursive: true })
|
||||
const target = standalone
|
||||
? path.join('..', '@pnpm', 'exe', 'pnpm')
|
||||
: path.join('..', 'pnpm', 'bin', 'pnpm.cjs')
|
||||
await symlink(target, pnpmBinLink)
|
||||
}
|
||||
|
||||
const bootstrapPnpm = standalone
|
||||
? path.join(dest, 'node_modules', '@pnpm', 'exe', 'pnpm')
|
||||
: path.join(dest, 'node_modules', 'pnpm', 'bin', 'pnpm.cjs')
|
||||
|
||||
// Determine the target version
|
||||
const targetVersion = readTargetVersion({ version, packageJsonFile })
|
||||
|
||||
if (targetVersion) {
|
||||
const cmd = standalone ? bootstrapPnpm : process.execPath
|
||||
const args = standalone ? ['self-update', targetVersion] : [bootstrapPnpm, 'self-update', targetVersion]
|
||||
const exitCode = await runCommand(cmd, args, { cwd: dest })
|
||||
if (exitCode !== 0) {
|
||||
return exitCode
|
||||
}
|
||||
}
|
||||
|
||||
// prepare target pnpm
|
||||
const target = await readTarget({ version, packageJsonFile, standalone })
|
||||
const cp = spawn(execPath, [path.join(__dirname, 'pnpm.cjs'), 'install', target, '--no-lockfile'], {
|
||||
cwd: dest,
|
||||
stdio: ['pipe', 'inherit', 'inherit'],
|
||||
})
|
||||
|
||||
const exitCode = await new Promise<number>((resolve, reject) => {
|
||||
cp.on('error', reject)
|
||||
cp.on('close', resolve)
|
||||
})
|
||||
if (exitCode === 0) {
|
||||
const pnpmHome = path.join(dest, 'node_modules/.bin')
|
||||
addPath(pnpmHome)
|
||||
exportVariable('PNPM_HOME', pnpmHome)
|
||||
}
|
||||
return exitCode
|
||||
return 0
|
||||
}
|
||||
|
||||
async function readTarget(opts: {
|
||||
function readTargetVersion(opts: {
|
||||
readonly version?: string | undefined
|
||||
readonly packageJsonFile: string
|
||||
readonly standalone: boolean
|
||||
}) {
|
||||
const { version, packageJsonFile, standalone } = opts
|
||||
}): string | undefined {
|
||||
const { version, packageJsonFile } = opts
|
||||
const { GITHUB_WORKSPACE } = process.env
|
||||
|
||||
let packageManager
|
||||
let packageManager: unknown
|
||||
|
||||
if (GITHUB_WORKSPACE) {
|
||||
try {
|
||||
@@ -84,7 +97,12 @@ async function readTarget(opts: {
|
||||
Remove one of these versions to avoid version mismatch errors like ERR_PNPM_BAD_PM_VERSION`)
|
||||
}
|
||||
|
||||
return `${ standalone ? '@pnpm/exe' : 'pnpm' }@${version}`
|
||||
return version
|
||||
}
|
||||
|
||||
if (typeof packageManager === 'string' && packageManager.startsWith('pnpm@')) {
|
||||
// pnpm will handle version management via packageManager field
|
||||
return undefined
|
||||
}
|
||||
|
||||
if (!GITHUB_WORKSPACE) {
|
||||
@@ -94,22 +112,22 @@ please run the actions/checkout before pnpm/action-setup.
|
||||
Otherwise, please specify the pnpm version in the action configuration.`)
|
||||
}
|
||||
|
||||
if (typeof packageManager !== 'string') {
|
||||
throw new Error(`No pnpm version is specified.
|
||||
throw new Error(`No pnpm version is specified.
|
||||
Please specify it by one of the following ways:
|
||||
- in the GitHub Action config with the key "version"
|
||||
- in the package.json with the key "packageManager"`)
|
||||
}
|
||||
}
|
||||
|
||||
if (!packageManager.startsWith('pnpm@')) {
|
||||
throw new Error('Invalid packageManager field in package.json')
|
||||
}
|
||||
|
||||
if (standalone) {
|
||||
return packageManager.replace('pnpm@', '@pnpm/exe@')
|
||||
}
|
||||
|
||||
return packageManager
|
||||
function runCommand(cmd: string, args: string[], opts: { cwd: string }): Promise<number> {
|
||||
return new Promise<number>((resolve, reject) => {
|
||||
const cp = spawn(cmd, args, {
|
||||
cwd: opts.cwd,
|
||||
stdio: ['pipe', 'inherit', 'inherit'],
|
||||
shell: process.platform === 'win32',
|
||||
})
|
||||
cp.on('error', reject)
|
||||
cp.on('close', resolve)
|
||||
})
|
||||
}
|
||||
|
||||
export default runSelfInstaller
|
||||
|
||||
Reference in New Issue
Block a user