All version checks now capture output and assert it matches a semver
pattern. Previously, a silently failing pnpm (exit 0, no output)
would pass the tests.
On Windows, npm's .bin shims can't properly execute the extensionless
native binaries from @pnpm/exe. Instead of trying to fix the shims,
add the @pnpm/exe directory directly to PATH where pnpm.exe lives.
The .cmd wrapper approach didn't work because CMD doesn't properly
wait for extensionless PE binaries. Instead, copy the actual .exe
(and .cmd for pnpx) from @pnpm/exe into .bin/ so PATHEXT finds
pnpm.exe directly, bypassing npm's broken node-wrapping shim.
npm creates .cmd wrappers that invoke bin entries through `node`,
but @pnpm/exe bins are native executables, not JavaScript files.
This causes pnpm commands to silently fail on Windows.
* feat: read pnpm version from devEngines.packageManager field
When no version is specified in the action config or the packageManager
field of package.json, fall back to devEngines.packageManager.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: skip self-update for devEngines.packageManager and add CI tests
pnpm auto-switches to the right version when devEngines.packageManager
is set, so self-update is unnecessary. This also enables range support
(e.g. ">=9.15.0") which self-update doesn't handle.
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
When packageManager is set to e.g. "pnpm@9.1.0+sha...", strip the
"pnpm@" prefix and any "+sha..." hash suffix so the action installs
the correct version. Previously returning undefined caused failures
on Windows.
* feat!: replace bundled pnpm binary with npm + lockfile bootstrap
Remove the 9MB bundled pnpm.cjs/worker.js and instead use npm ci with
committed package-lock.json files (~5KB) to install a bootstrap pnpm,
which then installs the target version with integrity verification via
the project's pnpm-lock.yaml.
Also switch from ncc to esbuild and modernize to ESM.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: bundle as CJS to support @actions/* packages
The @actions/* packages use CJS require() for Node.js builtins,
which fails with "Dynamic require of 'os' is not supported" when
bundled as ESM. Switch esbuild output to CJS format.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: remove "type": "module" from package.json
Node.js treats dist/index.js as ESM due to "type": "module",
but the bundle uses CJS require() calls. Remove the field so
Node.js defaults to CJS for .js files.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: remove packageManager field and fix Windows npm spawn
- Remove packageManager from package.json to avoid version conflict
when the action tests against itself (uses: ./)
- Use shell: true on Windows so spawn can find npm.cmd
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: always use pnpm (not @pnpm/exe) for bootstrap and update lockfile
The bootstrap only needs regular pnpm to install the target package.
@pnpm/exe requires install scripts which we skip with --ignore-scripts.
Also regenerate pnpm-lock.yaml to match current package.json.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: use --no-lockfile for target install
--lockfile-dir pointing to GITHUB_WORKSPACE causes the bootstrap pnpm
to use the project's pnpm-lock.yaml (which tracks project deps, not
pnpm itself), corrupting the install. Revert to --no-lockfile for now.
Lockfile-based integrity verification can be added when pnpm v11 has
proper support for verifying the pnpm package itself.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: run bootstrap pnpm via node instead of bin shim
Use `node .../pnpm/bin/pnpm.cjs` to run the bootstrap pnpm, matching
the approach used by the old bundled pnpm.cjs. This avoids issues with
the .bin symlink on different platforms.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: use pnpm self-update instead of installing target separately
- Bootstrap pnpm via npm ci (verified by lockfile)
- Use `pnpm self-update <version>` for explicit version
- Let pnpm handle packageManager field automatically
- Remove standalone/exe-specific install logic (pnpm handles this)
- Update tests to not run pnpm install against the action repo itself
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: support standalone mode with @pnpm/exe bootstrap
- When standalone=true, bootstrap with @pnpm/exe via npm ci
- When standalone=false, bootstrap with pnpm via npm ci
- Both use pnpm self-update to reach the target version
- Remove --ignore-scripts from npm ci so @pnpm/exe install scripts run
- Add standalone test back to CI
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* debug: add logging to diagnose pnpm not found on PATH
Log .bin directory contents after npm ci to understand why
pnpm binary is not found in subsequent CI steps.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: ensure pnpm bin link exists after npm ci
npm ci sometimes doesn't create the .bin/pnpm symlink for
@pnpm/exe (observed on Linux CI). Manually create the symlink
if it's missing after npm ci completes.
This fixes the case where standalone=true with no explicit version
(relying on packageManager field) — pnpm self-update wouldn't run,
leaving .bin empty and pnpm not found on PATH.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: add PNPM_HOME/bin to PATH for pnpm v11
pnpm v11 moved global binaries from PNPM_HOME to PNPM_HOME/bin.
Add the new bin subdirectory to PATH so that pnpm's global bin
directory check passes. This is backwards compatible — the extra
PATH entry is harmless for older pnpm versions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: add packages field to pnpm-workspace.yaml
pnpm v9 requires the packages field in pnpm-workspace.yaml.
Without it, `pnpm --version` fails with "packages field missing or empty".
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix pnpm-workspace.yaml
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* add pnpm store caching
* style: format
* no semicolons
* no star imports
* import order
* style: no star imports
---------
Co-authored-by: khai96_ <hvksmr1996@gmail.com>
* Clarify that package_json_file is relative to GITHUB_WORKSPACE
Clarify the description for package_json_file parameter to specify that the path must be relative to the repository root.
* Apply suggestion from @zkochan
---------
Co-authored-by: Zoltan Kochan <z@kochan.io>
When a project has both npm and pnpm, using pnpm/action-setup will result in an error: `Multiple versions of pnpm specified`.
The previous implementation was only meant to avoid the "ERR_PNPM_BAD_PM_VERSION" error, but it did not take into account the situation of multiple different package managers.
Signed-off-by: Kevin Cui <bh@bugs.cc>
* feat: add an option to install the self-contained binary version of pnpm
* test: add a test about nodejs_bundled
* style: remove an empty line
* chore: use newer pnpm
* chore: update dependencies
* feat: rename `nodejs_bundled` to `standalone`
as @zkochan suggested
* docs: add
---------
Co-authored-by: Takashi Sato <takashi@tks.st>
