src/install-pnpm/bootstrap/pnpm-lock.json

{
  "name": "bootstrap-pnpm",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "dependencies": {
        "pnpm": "latest"
      }
    },
    "node_modules/pnpm": {
      "version": "10.32.1",
      "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-10.32.1.tgz",
      "integrity": "sha512-pwaTjw6JrBRWtlY+q07fHR+vM2jRGR/FxZeQ6W3JGORFarLmfWE94QQ9LoyB+HMD5rQNT/7KnfFe8a1Wc0jyvg==",
      "license": "MIT",
      "bin": {
        "pnpm": "bin/pnpm.cjs",
        "pnpx": "bin/pnpx.cjs"
      },
      "engines": {
        "node": ">=18.12"
      },
      "funding": {
        "url": "https://opencollective.com/pnpm"
      }
    }
  }
}
feat!: replace bundled pnpm binary with npm + lockfile bootstrap (#212) * feat!: replace bundled pnpm binary with npm + lockfile bootstrap Remove the 9MB bundled pnpm.cjs/worker.js and instead use npm ci with committed package-lock.json files (~5KB) to install a bootstrap pnpm, which then installs the target version with integrity verification via the project's pnpm-lock.yaml. Also switch from ncc to esbuild and modernize to ESM. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: bundle as CJS to support @actions/* packages The @actions/* packages use CJS require() for Node.js builtins, which fails with "Dynamic require of 'os' is not supported" when bundled as ESM. Switch esbuild output to CJS format. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: remove "type": "module" from package.json Node.js treats dist/index.js as ESM due to "type": "module", but the bundle uses CJS require() calls. Remove the field so Node.js defaults to CJS for .js files. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: remove packageManager field and fix Windows npm spawn - Remove packageManager from package.json to avoid version conflict when the action tests against itself (uses: ./) - Use shell: true on Windows so spawn can find npm.cmd Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: always use pnpm (not @pnpm/exe) for bootstrap and update lockfile The bootstrap only needs regular pnpm to install the target package. @pnpm/exe requires install scripts which we skip with --ignore-scripts. Also regenerate pnpm-lock.yaml to match current package.json. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: use --no-lockfile for target install --lockfile-dir pointing to GITHUB_WORKSPACE causes the bootstrap pnpm to use the project's pnpm-lock.yaml (which tracks project deps, not pnpm itself), corrupting the install. Revert to --no-lockfile for now. Lockfile-based integrity verification can be added when pnpm v11 has proper support for verifying the pnpm package itself. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: run bootstrap pnpm via node instead of bin shim Use `node .../pnpm/bin/pnpm.cjs` to run the bootstrap pnpm, matching the approach used by the old bundled pnpm.cjs. This avoids issues with the .bin symlink on different platforms. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: use pnpm self-update instead of installing target separately - Bootstrap pnpm via npm ci (verified by lockfile) - Use `pnpm self-update <version>` for explicit version - Let pnpm handle packageManager field automatically - Remove standalone/exe-specific install logic (pnpm handles this) - Update tests to not run pnpm install against the action repo itself Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat: support standalone mode with @pnpm/exe bootstrap - When standalone=true, bootstrap with @pnpm/exe via npm ci - When standalone=false, bootstrap with pnpm via npm ci - Both use pnpm self-update to reach the target version - Remove --ignore-scripts from npm ci so @pnpm/exe install scripts run - Add standalone test back to CI Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * debug: add logging to diagnose pnpm not found on PATH Log .bin directory contents after npm ci to understand why pnpm binary is not found in subsequent CI steps. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: ensure pnpm bin link exists after npm ci npm ci sometimes doesn't create the .bin/pnpm symlink for @pnpm/exe (observed on Linux CI). Manually create the symlink if it's missing after npm ci completes. This fixes the case where standalone=true with no explicit version (relying on packageManager field) — pnpm self-update wouldn't run, leaving .bin empty and pnpm not found on PATH. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add PNPM_HOME/bin to PATH for pnpm v11 pnpm v11 moved global binaries from PNPM_HOME to PNPM_HOME/bin. Add the new bin subdirectory to PATH so that pnpm's global bin directory check passes. This is backwards compatible — the extra PATH entry is harmless for older pnpm versions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add packages field to pnpm-workspace.yaml pnpm v9 requires the packages field in pnpm-workspace.yaml. Without it, `pnpm --version` fails with "packages field missing or empty". Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix pnpm-workspace.yaml --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-21 14:02:31 +01:00			`{`
			`"name": "bootstrap-pnpm",`
			`"lockfileVersion": 3,`
			`"requires": true,`
			`"packages": {`
			`"": {`
			`"dependencies": {`
			`"pnpm": "latest"`
			`}`
			`},`
			`"node_modules/pnpm": {`
			`"version": "10.32.1",`
			`"resolved": "https://registry.npmjs.org/pnpm/-/pnpm-10.32.1.tgz",`
			`"integrity": "sha512-pwaTjw6JrBRWtlY+q07fHR+vM2jRGR/FxZeQ6W3JGORFarLmfWE94QQ9LoyB+HMD5rQNT/7KnfFe8a1Wc0jyvg==",`
			`"license": "MIT",`
			`"bin": {`
			`"pnpm": "bin/pnpm.cjs",`
			`"pnpx": "bin/pnpx.cjs"`
			`},`
			`"engines": {`
			`"node": ">=18.12"`
			`},`
			`"funding": {`
			`"url": "https://opencollective.com/pnpm"`
			`}`
			`}`
			`}`
			`}`