fix: drop patchPnpmEnv so standalone+self-update works on Windows

`patchPnpmEnv` prepended `dest/node_modules/.bin` to PATH before
spawning `pnpm install` / `pnpm store prune`. On Windows in standalone
mode, `.bin/pnpm.cmd` is an npm-created shim that always points at the
BOOTSTRAP pnpm (currently 11.0.4) — the binary npm linked when it
installed `@pnpm/exe` into `node_modules`. The self-updated pnpm
written by `pnpm self-update` lives at `$PNPM_HOME/bin`, which is
separately added to PATH via `addPath()` in install-pnpm.

When the user requested a pnpm version different from the bootstrap
under `standalone: true` on Windows, patchPnpmEnv's `.bin` entry
shadowed the self-updated `$PNPM_HOME/bin` and the action's internal
`pnpm install` ran on the bootstrap. On a pnpm 11.0.x bootstrap this
broke any 11.1+ install flag (e.g. `--no-runtime`), reporting:

    ERROR  Unknown option: 'runtime'

POSIX standalone got lucky because `.bin` and `$PNPM_HOME` resolve to
the same directory there. Non-standalone never tripped on this since
the `.bin/pnpm` symlink for a regular `pnpm` package keeps working
across self-updates.

Removed `patchPnpmEnv` and the now-empty `src/utils/` module.
`spawnSync` now inherits `process.env`, whose PATH is already
correctly fronted by `$PNPM_HOME/bin` and `$PNPM_HOME` via the
`addPath` calls in install-pnpm.

Added `standalone_windows_self_update` to test.yaml as a regression
guard: standalone on Windows + target 11.1.0 + `run_install` with
`--no-runtime`. With the previous code, the install would have run
under the bootstrap (11.0.4) and errored on the unknown flag.

Originally found while building pnpm/setup (the new combined
pnpm + runtime action).

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @zkochan

.github/workflows/pr-check.yaml

@@ -0,0 +1,28 @@
+name: pr-check
+
+on: [ pull_request ]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+jobs:
+  check-dist:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          run_install: true
+          version: 9
+
+      - name: Update dist/index.js
+        run: pnpm run build
+
+      - name: Check for uncommitted changes in dist
+        run: git diff --exit-code dist/index.js

.github/workflows/test.yaml

@@ -1,147 +1,306 @@
 name: Test Action
 
 on:
-  - push
-  - pull_request
-  - workflow_dispatch
+  pull_request:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
 
 jobs:
-  test_default_inputs:
-    name: Test with default inputs
+  smoke:
+    # Cross-OS coverage. Exercises the bootstrap install + PATH on each platform,
+    # the version-respects-request regression (#225 / #230 — Windows PATH shadow),
+    # and the bin_dest output regression (#247). Multi-version coverage on Linux
+    # so we don't pay 3x for major-version differences.
+    name: 'Smoke (${{ matrix.name }})'
 
     runs-on: ${{ matrix.os }}
 
     strategy:
       fail-fast: false
       matrix:
-        pnpm:
-          - 4.11.1
-        os:
-          - ubuntu-latest
-          - macos-latest
-          - windows-latest
+        include:
+          - name: 'ubuntu / v9.15.5'
+            os: ubuntu-latest
+            version: '9.15.5'
+          - name: 'ubuntu / v10.33.0'
+            os: ubuntu-latest
+            version: '10.33.0'
+          - name: 'ubuntu / v9.15.5 / custom-dest'
+            os: ubuntu-latest
+            version: '9.15.5'
+            dest: '~/test/pnpm'
+          - name: 'macos / v9.15.5'
+            os: macos-latest
+            version: '9.15.5'
+          - name: 'windows / v9.15.5'
+            os: windows-latest
+            version: '9.15.5'
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - id: pnpm
+        name: Run the action
+        uses: ./
+        with:
+          version: ${{ matrix.version }}
+          dest: ${{ matrix.dest || '~/setup-pnpm' }}
+
+      - name: 'Test: pnpm/pnpx on PATH report the requested version (incl. via bin_dest)'
+        # Pass paths via env, not template interpolation, so Windows
+        # backslashes in `bin_dest` aren't eaten by bash's escape handling.
+        env:
+          BIN_DEST: ${{ steps.pnpm.outputs.bin_dest }}
+          REQUIRED: ${{ matrix.version }}
+        run: |
+          set -e
+          which pnpm
+          which pnpx
+          actual="$(pnpm --version)"
+          echo "pnpm --version: ${actual}"
+          if [ "${actual}" != "${REQUIRED}" ]; then
+            echo "Expected pnpm version ${REQUIRED}, but got ${actual}"
+            exit 1
+          fi
+          bin_dest_version="$("$BIN_DEST/pnpm" --version)"
+          echo "bin_dest pnpm --version: ${bin_dest_version}"
+          if [ "${bin_dest_version}" != "${REQUIRED}" ]; then
+            echo "Expected ${REQUIRED} via bin_dest, but got ${bin_dest_version}"
+            exit 1
+          fi
+        shell: bash
+
+      - name: 'Test: install in a fresh project'
+        run: |
+          mkdir /tmp/test-project
+          cd /tmp/test-project
+          pnpm init
+          pnpm add is-odd
+        shell: bash
+
+  manifest_pin:
+    # Folds the old test_package_manager_field, test_dev_engines, and
+    # test_dev_engines_on_fail_error jobs. The action's manifest handling is
+    # OS-independent, so ubuntu-only is sufficient.
+    name: 'Manifest pin: ${{ matrix.label }}'
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - label: 'packageManager pnpm@9.15.5 (#227)'
+            manifest: '{"packageManager":"pnpm@9.15.5"}'
+            version: '9.15.5'
+          - label: 'packageManager pnpm@10.33.0'
+            manifest: '{"packageManager":"pnpm@10.33.0"}'
+            version: '10.33.0'
+          - label: 'devEngines onFail=download, exact'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":"9.15.5","onFail":"download"}}}'
+            version: '9.15.5'
+          - label: 'devEngines onFail=download, range'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":">=9.15.0","onFail":"download"}}}'
+            version: '>=9.15.0'
+          - label: 'devEngines onFail=error, exact (#252)'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":"9.15.5","onFail":"error"}}}'
+            version: '9.15.5'
+          - label: 'devEngines onFail=error, range (#252)'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":">=9.15.0","onFail":"error"}}}'
+            version: '>=9.15.0'
+          - label: 'explicit version: pnpm_config_pm_on_fail not exported'
+            # Regression guard for the af8e203 scope fix: when the user passes an
+            # explicit `version:` input, the action must NOT export
+            # pnpm_config_pm_on_fail=download, so the user's strict onFail policy
+            # is preserved. Asserted directly on the env var rather than pnpm
+            # runtime behavior — different pnpm majors read devEngines
+            # differently (v10 ignores it, v11+ honors it).
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":"9.15.5","onFail":"error"}}}'
+            explicit_version: '10.33.0'
+            expect_pm_on_fail_unset: true
+
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Set up package.json
+        run: echo '${{ matrix.manifest }}' > package.json
+        shell: bash
 
       - name: Run the action
         uses: ./
         with:
-          version: 4.11.1
+          version: ${{ matrix.explicit_version }}
 
-      - name: 'Test: which'
-        run: which pnpm; which pnpx
+      - name: 'Test: pnpm reports the pinned version'
+        if: ${{ !matrix.expect_pm_on_fail_unset }}
+        env:
+          REQUIRED: ${{ matrix.version }}
+        run: |
+          set -e
+          actual="$(pnpm --version)"
+          echo "pnpm version: ${actual}"
+          if [ "${REQUIRED}" = ">=9.15.0" ]; then
+            min="9.15.0"
+            if [ "$(printf '%s\n' "${min}" "${actual}" | sort -V | head -n1)" != "${min}" ]; then
+              echo "Expected pnpm version >= ${min}, but got ${actual}"
+              exit 1
+            fi
+          else
+            if [ "${actual}" != "${REQUIRED}" ]; then
+              echo "Expected pnpm version ${REQUIRED}, but got ${actual}"
+              exit 1
+            fi
+          fi
+        shell: bash
 
-      - name: 'Test: install'
-        run: pnpm install
-
-  test_dest:
-    name: Test with dest
-
-    runs-on: ${{ matrix.os }}
-
-    strategy:
-      fail-fast: false
-      matrix:
-        pnpm:
-          - 4.11.1
-        os:
-          - ubuntu-latest
-          - macos-latest
-          - windows-latest
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Run the action
-        uses: ./
-        with:
-          version: 4.11.1
-          dest: ~/test/pnpm
-
-      - name: 'Test: which'
-        run: which pnpm && which pnpx
-
-      - name: 'Test: install'
-        run: pnpm install
-
-  test_standalone:
-    name: Test with standalone
-
-    runs-on: ${{ matrix.os }}
-
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-          - ubuntu-latest
-          - macos-latest
-          - windows-latest
+      - name: 'Test: pnpm_config_pm_on_fail not exported (explicit version preserves strict policy)'
+        if: ${{ matrix.expect_pm_on_fail_unset }}
+        run: |
+          if [ -n "${pnpm_config_pm_on_fail:-}" ]; then
+            echo "Expected pnpm_config_pm_on_fail to be unset, but got: '${pnpm_config_pm_on_fail}'"
+            exit 1
+          fi
+          echo "pnpm_config_pm_on_fail is unset, as expected"
+        shell: bash
 
   standalone:
-          - true
-          - false
+    name: Standalone mode
+
+    runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Run the action
         uses: ./
         with:
-          version: 7.0.0
-          standalone: ${{ matrix.standalone }}
+          version: 9.15.0
+          standalone: true
 
-      - name: install Node.js
-        uses: actions/setup-node@v4
-        with:
-          # pnpm@7.0.0 is not compatible with Node.js 12
-          node-version: 12.22.12
-
-      - name: 'Test: which (pnpm)'
-        run: which pnpm
-
-      - name: 'Test: which (pnpx)'
-        if: matrix.standalone == false
-        run: which pnpx
-
-      - name: 'Test: install when standalone is true'
-        if: matrix.standalone
-        run: pnpm install
-
-      - name: 'Test: install when standalone is false'
-        if: matrix.standalone == false
-        # Since the default shell on windows runner is pwsh, we specify bash explicitly
-        shell: bash
+      - name: 'Test: pnpm works'
         run: |
-          if pnpm install; then
-            echo "pnpm install should fail"
+          set -e
+          which pnpm
+          actual="$(pnpm --version)"
+          if [ "${actual}" != "9.15.0" ]; then
+            echo "Expected 9.15.0, got ${actual}"
             exit 1
-          else
-            echo "pnpm install failed as expected"
           fi
+          mkdir /tmp/test-standalone
+          cd /tmp/test-standalone
+          pnpm init
+          pnpm add is-odd
+        shell: bash
 
-  test_run_install:
-    name: 'Test with run_install (${{ matrix.run_install.name }}, ${{ matrix.os }})'
+  standalone_windows_self_update:
+    # Regression guard for the patchPnpmEnv PATH-shadow bug. When
+    # standalone: true on Windows AND the requested pnpm differs from the
+    # bootstrap, the previous patchPnpmEnv prepended node_modules/.bin to
+    # PATH; that directory contains an npm-created pnpm.cmd shim pointing
+    # at the BOOTSTRAP pnpm, which shadowed the self-updated pnpm at
+    # $PNPM_HOME/bin and caused `pnpm install` inside the action to run
+    # under the bootstrap version. Exercising a newer-pnpm-only flag
+    # (`--no-runtime`, added in 11.1.0) makes the regression assertable:
+    # if the bootstrap (11.0.4) handles the install, it errors with
+    # "Unknown option: 'runtime'".
+    name: 'Standalone Windows self-update (PATH regression)'
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
-    runs-on: ${{ matrix.os }}
+      - name: Set up package.json with a minimal manifest
+        # run_install needs a manifest to install against. Removing the
+        # repo's existing pnpm-lock.yaml avoids frozen-lockfile mismatch.
+        run: |
+          rm -f pnpm-lock.yaml
+          echo '{"name":"sw","private":true,"packageManager":"pnpm@11.1.0"}' > package.json
+        shell: bash
+
+      - name: Run the action
+        uses: ./
+        with:
+          version: 11.1.0
+          standalone: true
+          run_install: |
+            args: ['--no-runtime']
+
+      - name: 'Test: pnpm install completed under the self-updated pnpm'
+        # If the bug recurs, the previous step's run_install will have failed
+        # the job with "Unknown option: 'runtime'", so reaching this step
+        # implies success. Still verify the version on PATH matches request.
+        env:
+          REQUIRED: '11.1.0'
+        run: |
+          set -e
+          actual="$(pnpm --version)"
+          echo "pnpm --version: ${actual}"
+          if [ "${actual}" != "${REQUIRED}" ]; then
+            echo "Expected pnpm ${REQUIRED}, got ${actual}"
+            exit 1
+          fi
+        shell: bash
+
+  cache_store_path:
+    # Regression guard for #233. When package.json pins a pnpm major that
+    # differs from the bootstrap pnpm's major, the bootstrap reports its
+    # own STORE_VERSION from `pnpm store path` (the `store` command skips
+    # pnpm's auto-switch). The user's actual `pnpm install` runs under the
+    # pinned version and writes to a different STORE_VERSION, so the post
+    # step's saveCache then fails with "Path Validation Error". The fix is
+    # to self-update the bootstrap to the pinned version up front.
+    name: 'Cache store path matches install (#233): ${{ matrix.label }}'
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - label: 'packageManager pnpm@10.33.0'
+            manifest: '{"packageManager":"pnpm@10.33.0","dependencies":{"is-odd":"3.0.1"}}'
+          - label: 'devEngines exact pnpm@10.33.0'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":"10.33.0"}},"dependencies":{"is-odd":"3.0.1"}}'
+          - label: 'devEngines range >=10 <11'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":">=10 <11"}},"dependencies":{"is-odd":"3.0.1"}}'
+
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Set up package.json
+        run: echo '${{ matrix.manifest }}' > package.json
+        shell: bash
+
+      - id: pnpm
+        uses: ./
+        with:
+          cache: true
+          run_install: |
+            - args: [--no-frozen-lockfile]
+
+      - name: 'Test: store path computed by the action exists on disk'
+        run: |
+          set -e
+          actual="$(pnpm store path --silent)"
+          echo "pnpm store path: ${actual}"
+          if [ ! -d "${actual}" ]; then
+            echo "Expected store path to exist on disk; cache save would fail"
+            exit 1
+          fi
+        shell: bash
+
+  run_install:
+    name: 'run_install (${{ matrix.run_install.name }})'
+
+    runs-on: ubuntu-latest
 
     strategy:
       fail-fast: false
       matrix:
-        pnpm:
-          - 4.11.1
-        os:
-          - ubuntu-latest
-          - macos-latest
-          - windows-latest
         run_install:
           - name: 'null'
             value: 'null'
-          - name: 'empty object'
-            value: '{}'
-          - name: 'recursive'
-            value: |
-              recursive: true
           - name: 'global'
             value: |
               args:
@@ -149,29 +308,24 @@ jobs:
                 - --global-dir=./pnpm-global
                 - npm
                 - yarn
-                - pnpm
-          - name: 'array'
-            value: |
-              - {}
-              - recursive: true
-              - args:
-                - --global
-                - --global-dir=./pnpm-global
-                - npm
-                - yarn
-                - pnpm
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Run the action
         uses: ./
         with:
-          version: 4.11.1
+          version: 9.15.5
           run_install: ${{ matrix.run_install.value }}
 
-      - name: 'Test: which'
-        run: which pnpm; which pnpx
-
-      - name: 'Test: install'
-        run: pnpm install
+      - name: 'Test: pnpm works'
+        run: |
+          set -e
+          which pnpm
+          which pnpx
+          actual="$(pnpm --version)"
+          if [ "${actual}" != "9.15.5" ]; then
+            echo "Expected 9.15.5, got ${actual}"
+            exit 1
+          fi
+        shell: bash

.gitignore

@@ -2,8 +2,6 @@ node_modules
 *.log
 /dist/*
 !/dist/index.js
-!/dist/pnpm.cjs
-!/dist/worker.js
 tmp
 temp
 *.tmp
@@ -11,3 +9,4 @@ temp
 tmp.*
 temp.*
 .pnpm-store
+.claude

README.md

@@ -1,3 +1,7 @@
+> ## :warning: Upgrade from v2!
+>
+> The v2 version of this action [has stopped working](https://github.com/pnpm/action-setup/issues/135) with newer Node.js versions. Please, upgrade to the latest version to fix any issues.
+
 # Setup pnpm
 
 Install pnpm package manager.
@@ -10,7 +14,7 @@ Version of pnpm to install.
 
 **Optional** when there is a [`packageManager` field in the `package.json`](https://nodejs.org/api/corepack.html).
 
-otherwise, this field is **required** It supports npm versioning scheme, it could be an exact version (such as `6.24.1`), or a version range (such as `6`, `6.x.x`, `6.24.x`, `^6.24.1`, `*`, etc.), or `latest`.
+otherwise, this field is **required** It supports npm versioning scheme, it could be an exact version (such as `10.9.8`), or a version range (such as `10`, `10.x.x`, `10.9.x`, `^10.9.8`, `*`, etc.), or `latest`.
 
 ### `dest`
 
@@ -36,11 +40,19 @@ If `run_install` is a YAML string representation of either an object or an array
 
 #### `run_install.args`
 
-**Optional** (_type:_ `string[]`) Additional arguments after `pnpm [recursive] install`, e.g. `[--frozen-lockfile, --strict-peer-dependencies]`.
+**Optional** (_type:_ `string[]`) Additional arguments after `pnpm [recursive] install`, e.g. `[--ignore-scripts, --strict-peer-dependencies]`.
+
+### `cache`
+
+**Optional** (_type:_ `boolean`, _default:_ `false`) Whether to cache the pnpm store directory.
+
+### `cache_dependency_path`
+
+**Optional** (_type:_ `string|string[]`, _default:_ `pnpm-lock.yaml`) File path to the pnpm lockfile, which contents hash will be used as a cache key.
 
 ### `package_json_file`
 
-**Optional** (_type:_ `string`, _default:_ `package.json`) File path to the `package.json` to read "packageManager" configuration.
+**Optional** (_type:_ `string`, _default:_ `package.json`) File path to the `package.json`/[`package.yaml`](https://github.com/pnpm/pnpm/pull/1799) to read "packageManager" configuration.
 
 ### `standalone`
 
@@ -60,7 +72,9 @@ Location of `pnpm` and `pnpx` command.
 
 ## Usage example
 
-### Just install pnpm
+### Install only pnpm without `packageManager`
+
+This works when the repo either doesn't have a `package.json` or has a `package.json` but it doesn't specify `packageManager`.
 
 ```yaml
 on:
@@ -72,9 +86,26 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: pnpm/action-setup@v3
+      - uses: pnpm/action-setup@v6
         with:
-          version: 8
+          version: 10
+```
+
+###  Install only pnpm with `packageManager`
+
+Omit `version` input to use the version in the [`packageManager` field in the `package.json`](https://nodejs.org/api/corepack.html).
+
+```yaml
+on:
+  - push
+  - pull_request
+
+jobs:
+  install:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: pnpm/action-setup@v6
 ```
 
 ### Install pnpm and a few npm packages
@@ -89,14 +120,14 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
-      - uses: pnpm/action-setup@v3
+      - uses: pnpm/action-setup@v6
         with:
-          version: 8
+          version: 10
           run_install: |
             - recursive: true
-              args: [--frozen-lockfile, --strict-peer-dependencies]
+              args: [--strict-peer-dependencies]
             - args: [--global, gulp, prettier, typescript]
 ```
 
@@ -113,31 +144,13 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
-      - name: Install Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-
-      - uses: pnpm/action-setup@v3
+      - uses: pnpm/action-setup@v6
         name: Install pnpm
         with:
-          version: 8
-          run_install: false
-
-      - name: Get pnpm store directory
-        shell: bash
-        run: |
-          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-
-      - uses: actions/cache@v4
-        name: Setup pnpm cache
-        with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
+          version: 10
+          cache: true
 
       - name: Install dependencies
         run: pnpm install

action.yml

@@ -15,15 +15,28 @@ inputs:
     description: If specified, run `pnpm install`
     required: false
     default: 'null'
+  cache:
+    description: Whether to cache the pnpm store directory
+    required: false
+    default: 'false'
+  cache_dependency_path:
+    description: File path to the pnpm lockfile, which contents hash will be used as a cache key
+    required: false
+    default: 'pnpm-lock.yaml'
   package_json_file:
-    description: File path to the package.json to read "packageManager" configuration
+    description: File path to the package.json to read "packageManager" configuration. This path must be relative to the repository root (GITHUB_WORKSPACE).
     required: false
     default: 'package.json'
   standalone:
     description: When set to true, @pnpm/exe, which is a Node.js bundled package, will be installed, enabling using pnpm without Node.js.
     required: false
     default: 'false'
+outputs:
+  dest:
+    description: Expanded path of inputs#dest
+  bin_dest:
+    description: Location of `pnpm` and `pnpx` command
 runs:
-  using: node20
+  using: node24
   main: dist/index.js
   post: dist/index.js

package.json

@@ -1,25 +1,24 @@
 {
   "private": true,
   "scripts": {
-    "build:ncc": "ncc build --minify --no-source-map-register --no-cache dist/tsc/index.js --out dist/",
-    "build": "tsc && pnpm run build:ncc",
+    "build:bundle": "esbuild src/index.ts --bundle --platform=node --target=node24 --format=cjs --minify --outfile=dist/index.js --loader:.json=json",
+    "build": "pnpm run build:bundle",
     "start": "pnpm run build && sh ./run.sh",
-    "update-pnpm-dist": "pnpm install && cp ./node_modules/pnpm/dist/pnpm.cjs ./dist/pnpm.cjs && cp ./node_modules/pnpm/dist/worker.js ./dist/worker.js"
+    "update-bootstrap": "node scripts/update-bootstrap.mjs"
   },
   "dependencies": {
+    "@actions/cache": "^4.1.0",
     "@actions/core": "^1.10.1",
+    "@actions/exec": "^1.1.1",
+    "@actions/glob": "^0.5.0",
     "@types/expand-tilde": "^2.0.2",
-    "@types/fs-extra": "^11.0.4",
-    "@types/node": "^20.11.5",
-    "@types/node-fetch": "^2.6.11",
+    "@types/node": "^22.0.0",
     "expand-tilde": "^2.0.2",
-    "fs-extra": "^11.2.0",
     "yaml": "^2.3.4",
     "zod": "^3.22.4"
   },
   "devDependencies": {
-    "@vercel/ncc": "^0.38.1",
-    "pnpm": "^8.14.3",
+    "esbuild": "^0.27.4",
     "typescript": "^5.3.3"
   }
 }

pnpm-workspace.yaml

@@ -0,0 +1,4 @@
+packages:
+  - '.'
+allowBuilds:
+  esbuild: true

scripts/update-bootstrap.mjs

@@ -0,0 +1,47 @@
+#!/usr/bin/env node
+
+// Usage: node scripts/update-bootstrap.mjs [version]
+// If version is omitted, fetches the latest next-11 tag from npm.
+// Regenerates the bootstrap lockfiles used by action-setup to install pnpm via npm.
+
+import { execSync } from 'child_process'
+import { mkdtempSync, rmSync, readFileSync, writeFileSync } from 'fs'
+import { join } from 'path'
+import { tmpdir } from 'os'
+
+const BOOTSTRAP_DIR = new URL('../src/install-pnpm/bootstrap/', import.meta.url).pathname
+
+const version = process.argv[2] || resolveLatestVersion()
+
+console.log(`Updating bootstrap lockfiles to pnpm@${version} ...`)
+
+generateLock('pnpm-lock.json', { pnpm: version }, 'bootstrap-pnpm')
+generateLock('exe-lock.json', { '@pnpm/exe': version }, 'bootstrap-exe')
+
+console.log('Done!')
+
+function resolveLatestVersion() {
+  const json = execSync('npm view @pnpm/exe dist-tags --json', { encoding: 'utf8' })
+  const tags = JSON.parse(json)
+  const version = tags['next-11'] || tags['latest']
+  if (!version) {
+    console.error('Could not determine latest pnpm version from npm dist-tags')
+    process.exit(1)
+  }
+  return version
+}
+
+function generateLock(filename, dependencies, name) {
+  const tmp = mkdtempSync(join(tmpdir(), 'pnpm-bootstrap-'))
+  try {
+    writeFileSync(join(tmp, 'package.json'), JSON.stringify({ private: true, dependencies }))
+    execSync('npm install --package-lock-only --ignore-scripts', { cwd: tmp, stdio: 'pipe' })
+    const lock = readFileSync(join(tmp, 'package-lock.json'), 'utf8')
+    const parsed = JSON.parse(lock)
+    parsed.name = name
+    writeFileSync(join(BOOTSTRAP_DIR, filename), JSON.stringify(parsed, null, 2) + '\n')
+    console.log(`  ${filename} -> ${Object.values(dependencies)[0]}@${version}`)
+  } finally {
+    rmSync(tmp, { recursive: true, force: true })
+  }
+}

src/cache-restore/index.ts

@@ -0,0 +1,19 @@
+import { isFeatureAvailable } from '@actions/cache'
+import { endGroup, startGroup, warning } from '@actions/core'
+import { Inputs } from '../inputs'
+import { runRestoreCache } from './run'
+
+export async function restoreCache(inputs: Inputs) {
+  if (!inputs.cache) return
+
+  if (!isFeatureAvailable()) {
+    warning('Cache is not available, skipping cache restoration')
+    return
+  }
+
+  startGroup('Restoring cache...')
+  await runRestoreCache(inputs)
+  endGroup()
+}
+
+export default restoreCache

src/cache-restore/run.ts

@@ -0,0 +1,39 @@
+import { restoreCache } from '@actions/cache'
+import { debug, info, saveState, setOutput } from '@actions/core'
+import { getExecOutput } from '@actions/exec'
+import { hashFiles } from '@actions/glob'
+import os from 'os'
+import { Inputs } from '../inputs'
+
+export async function runRestoreCache(inputs: Inputs) {
+  const cachePath = await getCacheDirectory()
+  saveState('cache_path', cachePath)
+
+  const fileHash = await hashFiles(inputs.cacheDependencyPath)
+  if (!fileHash) {
+    throw new Error('Some specified paths were not resolved, unable to cache dependencies.')
+  }
+
+  const primaryKey = `pnpm-cache-${process.env.RUNNER_OS}-${os.arch()}-${fileHash}`
+  debug(`Primary key is ${primaryKey}`)
+  saveState('cache_primary_key', primaryKey)
+
+  let cacheKey = await restoreCache([cachePath], primaryKey)
+
+  setOutput('cache-hit', Boolean(cacheKey))
+
+  if (!cacheKey) {
+    info(`Cache is not found`)
+    return
+  }
+
+  saveState('cache_restored_key', cacheKey)
+  info(`Cache restored from key: ${cacheKey}`)
+}
+
+async function getCacheDirectory() {
+  const { stdout } = await getExecOutput('pnpm store path --silent')
+  const cacheFolderPath = stdout.trim()
+  debug(`Cache folder is set to "${cacheFolderPath}"`)
+  return cacheFolderPath
+}

src/cache-save/index.ts

@@ -0,0 +1,15 @@
+import { setFailed } from '@actions/core'
+import { Inputs } from '../inputs'
+import { runSaveCache } from './run'
+
+export async function saveCache(inputs: Inputs) {
+  if (!inputs.cache) return
+
+  try {
+    await runSaveCache()
+  } catch (error) {
+    setFailed((error as Error).message)
+  }
+}
+
+export default saveCache

src/cache-save/run.ts

@@ -0,0 +1,18 @@
+import { saveCache } from '@actions/cache'
+import { getState, info } from '@actions/core'
+
+export async function runSaveCache() {
+  const state = getState('cache_restored_key')
+  const primaryKey = getState('cache_primary_key')
+  const cachePath = getState('cache_path')
+
+  if (primaryKey === state) {
+    info(`Cache hit occurred on the primary key ${primaryKey}, not saving cache.`)
+    return
+  }
+
+  const cacheId = await saveCache([cachePath], primaryKey)
+  if (cacheId == -1) return
+
+  info(`Cache saved with the key: ${primaryKey}`)
+}

src/index.ts

@@ -1,21 +1,41 @@
 import { setFailed, saveState, getState } from '@actions/core'
-import getInputs from './inputs'
+import restoreCache from './cache-restore'
+import saveCache from './cache-save'
+import getInputs, { Inputs } from './inputs'
 import installPnpm from './install-pnpm'
 import setOutputs from './outputs'
 import pnpmInstall from './pnpm-install'
 import pruneStore from './pnpm-store-prune'
 
 async function main() {
+  if (getState('is_post') === 'true') {
+    await runPost()
+  } else {
+    await runMain()
+  }
+}
+
+async function runMain() {
   const inputs = getInputs()
-  const isPost = getState('is_post')
-  if (isPost === 'true') return pruneStore(inputs)
+  saveState('inputs', inputs)
   saveState('is_post', 'true')
-  await installPnpm(inputs)
+
+  const binDest = await installPnpm(inputs)
+  if (binDest === undefined) return
   console.log('Installation Completed!')
-  setOutputs(inputs)
+  setOutputs(inputs, binDest)
+
+  await restoreCache(inputs)
+
   pnpmInstall(inputs)
 }
 
+async function runPost() {
+  const inputs = JSON.parse(getState('inputs')) as Inputs
+  pruneStore(inputs)
+  await saveCache(inputs)
+}
+
 main().catch(error => {
   console.error(error)
   setFailed(error)

src/inputs/index.ts

@@ -5,6 +5,8 @@ import { RunInstall, parseRunInstall } from './run-install'
 export interface Inputs {
   readonly version?: string
   readonly dest: string
+  readonly cache: boolean
+  readonly cacheDependencyPath: string
   readonly runInstall: RunInstall[]
   readonly packageJsonFile: string
   readonly standalone: boolean
@@ -19,6 +21,8 @@ const parseInputPath = (name: string) => expandTilde(getInput(name, options))
 export const getInputs = (): Inputs => ({
   version: getInput('version'),
   dest: parseInputPath('dest'),
+  cache: getBooleanInput('cache'),
+  cacheDependencyPath: parseInputPath('cache_dependency_path'),
   runInstall: parseRunInstall('run_install'),
   packageJsonFile: parseInputPath('package_json_file'),
   standalone: getBooleanInput('standalone'),

src/inputs/run-install.ts

@@ -1,5 +1,5 @@
 import { getInput, error } from '@actions/core'
-import * as yaml from 'yaml'
+import { parse as parseYaml } from 'yaml'
 import { z, ZodError } from 'zod'
 
 const RunInstallSchema = z.object({
@@ -20,7 +20,7 @@ export type RunInstall = z.infer<typeof RunInstallSchema>
 
 export function parseRunInstall(inputName: string): RunInstall[] {
   const input = getInput(inputName, { required: true })
-  const parsedInput: unknown = yaml.parse(input)
+  const parsedInput: unknown = parseYaml(input)
 
   try {
     const result: RunInstallInput = RunInstallInputSchema.parse(parsedInput)

src/install-pnpm/bootstrap/exe-lock.json

@@ -0,0 +1,344 @@
+{
+  "name": "bootstrap-exe",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "dependencies": {
+        "@pnpm/exe": "11.0.4"
+      }
+    },
+    "node_modules/@pnpm/exe": {
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/exe/-/exe-11.0.4.tgz",
+      "integrity": "sha512-3OwYqbbj1KtuUqoMo5OEkY8nU/WutZ7L5ADFl0bbW9oyqU55U37aDqA3NJNSk28CyszNARfrjerAF2DW2TsV7w==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "dependencies": {
+        "@reflink/reflink": "0.1.19",
+        "detect-libc": "^2.0.3"
+      },
+      "bin": {
+        "pn": "pn",
+        "pnpm": "pnpm",
+        "pnpx": "pnpx",
+        "pnx": "pnx"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      },
+      "optionalDependencies": {
+        "@pnpm/linux-arm64": "11.0.4",
+        "@pnpm/linux-x64": "11.0.4",
+        "@pnpm/linuxstatic-arm64": "11.0.4",
+        "@pnpm/linuxstatic-x64": "11.0.4",
+        "@pnpm/macos-arm64": "11.0.4",
+        "@pnpm/macos-x64": "11.0.4",
+        "@pnpm/win-arm64": "11.0.4",
+        "@pnpm/win-x64": "11.0.4"
+      }
+    },
+    "node_modules/@pnpm/linux-arm64": {
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-arm64/-/linux-arm64-11.0.4.tgz",
+      "integrity": "sha512-Bz7V2sFypoGHX/t5w/w7jnCw5DCK3C8s5q8whHJJ3iS5kRznX3Q1F4LwSjjy+lsi777fHyNIvD7qtNmdt9IKoA==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/linux-x64": {
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-x64/-/linux-x64-11.0.4.tgz",
+      "integrity": "sha512-u0Yn1gytR1vKdPk6fYF500H8ZWQlj0cTuIQPp+5GYVPkMmA5bSw41RNIDPBfjDlE8ERmQWaQcrgmTcmTZ+n22A==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/linuxstatic-arm64": {
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-arm64/-/linuxstatic-arm64-11.0.4.tgz",
+      "integrity": "sha512-0aitEcfhWNXNZhfJGt/kJaRvfcdtJzXZpV+toJN94kfawSJnhuawfnUSXMi/3m0G97HkJc7BH8rOz3sojUKt0g==",
+      "cpu": [
+        "arm64"
+      ],
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/linuxstatic-x64": {
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-x64/-/linuxstatic-x64-11.0.4.tgz",
+      "integrity": "sha512-xDJdeJ7D2YvDBy2/IH9lEqMKiSuZiV8190XKWOgQgxUGGeuW4z3j6Ewpl0S5bXsWuNjAgC+uCKp7Qp3P7cXAvw==",
+      "cpu": [
+        "x64"
+      ],
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/macos-arm64": {
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-arm64/-/macos-arm64-11.0.4.tgz",
+      "integrity": "sha512-dNR69jUARtGFuyyLE9VuyxhRUKC8MO/7/xIyAdeIMZAD5ej0Y/Ct0DYCa/FLbgFL1nXaXmp4+gRMfJBkkrKfQQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/macos-x64": {
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-x64/-/macos-x64-11.0.4.tgz",
+      "integrity": "sha512-RfyrxSBajeEU16dZsgFjbdagDV9F4HNCJfbBgm8IbGjL0+J95naM/VmCDLd6S3+1tISeI2MxtcyCxqjKJsD/BA==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/win-arm64": {
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-arm64/-/win-arm64-11.0.4.tgz",
+      "integrity": "sha512-fOQEv8b9KxZlUAxPPXSQQUUIrt2nY24Qwd4RzCPpatacBnsE4JIadlr/B4V5z2zFxmV7FdHr7nYUhv2RqTlY/w==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/win-x64": {
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-x64/-/win-x64-11.0.4.tgz",
+      "integrity": "sha512-pErHAV8m3NZuPSeCmH3senTSHX0nwkH5lLzQSpiFuyt08hq8sqL3jDymT4ri9N7ixPN9RFZghZIiT3h+Croaew==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@reflink/reflink": {
+      "version": "0.1.19",
+      "resolved": "https://registry.npmjs.org/@reflink/reflink/-/reflink-0.1.19.tgz",
+      "integrity": "sha512-DmCG8GzysnCZ15bres3N5AHCmwBwYgp0As6xjhQ47rAUTUXxJiK+lLUxaGsX3hd/30qUpVElh05PbGuxRPgJwA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 10"
+      },
+      "optionalDependencies": {
+        "@reflink/reflink-darwin-arm64": "0.1.19",
+        "@reflink/reflink-darwin-x64": "0.1.19",
+        "@reflink/reflink-linux-arm64-gnu": "0.1.19",
+        "@reflink/reflink-linux-arm64-musl": "0.1.19",
+        "@reflink/reflink-linux-x64-gnu": "0.1.19",
+        "@reflink/reflink-linux-x64-musl": "0.1.19",
+        "@reflink/reflink-win32-arm64-msvc": "0.1.19",
+        "@reflink/reflink-win32-x64-msvc": "0.1.19"
+      }
+    },
+    "node_modules/@reflink/reflink-darwin-arm64": {
+      "version": "0.1.19",
+      "resolved": "https://registry.npmjs.org/@reflink/reflink-darwin-arm64/-/reflink-darwin-arm64-0.1.19.tgz",
+      "integrity": "sha512-ruy44Lpepdk1FqDz38vExBY/PVUsjxZA+chd9wozjUH9JjuDT/HEaQYA6wYN9mf041l0yLVar6BCZuWABJvHSA==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@reflink/reflink-darwin-x64": {
+      "version": "0.1.19",
+      "resolved": "https://registry.npmjs.org/@reflink/reflink-darwin-x64/-/reflink-darwin-x64-0.1.19.tgz",
+      "integrity": "sha512-By85MSWrMZa+c26TcnAy8SDk0sTUkYlNnwknSchkhHpGXOtjNDUOxJE9oByBnGbeuIE1PiQsxDG3Ud+IVV9yuA==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@reflink/reflink-linux-arm64-gnu": {
+      "version": "0.1.19",
+      "resolved": "https://registry.npmjs.org/@reflink/reflink-linux-arm64-gnu/-/reflink-linux-arm64-gnu-0.1.19.tgz",
+      "integrity": "sha512-7P+er8+rP9iNeN+bfmccM4hTAaLP6PQJPKWSA4iSk2bNvo6KU6RyPgYeHxXmzNKzPVRcypZQTpFgstHam6maVg==",
+      "cpu": [
+        "arm64"
+      ],
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@reflink/reflink-linux-arm64-musl": {
+      "version": "0.1.19",
+      "resolved": "https://registry.npmjs.org/@reflink/reflink-linux-arm64-musl/-/reflink-linux-arm64-musl-0.1.19.tgz",
+      "integrity": "sha512-37iO/Dp6m5DDaC2sf3zPtx/hl9FV3Xze4xoYidrxxS9bgP3S8ALroxRK6xBG/1TtfXKTvolvp+IjrUU6ujIGmA==",
+      "cpu": [
+        "arm64"
+      ],
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@reflink/reflink-linux-x64-gnu": {
+      "version": "0.1.19",
+      "resolved": "https://registry.npmjs.org/@reflink/reflink-linux-x64-gnu/-/reflink-linux-x64-gnu-0.1.19.tgz",
+      "integrity": "sha512-jbI8jvuYCaA3MVUdu8vLoLAFqC+iNMpiSuLbxlAgg7x3K5bsS8nOpTRnkLF7vISJ+rVR8W+7ThXlXlUQ93ulkw==",
+      "cpu": [
+        "x64"
+      ],
+      "libc": [
+        "glibc"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@reflink/reflink-linux-x64-musl": {
+      "version": "0.1.19",
+      "resolved": "https://registry.npmjs.org/@reflink/reflink-linux-x64-musl/-/reflink-linux-x64-musl-0.1.19.tgz",
+      "integrity": "sha512-e9FBWDe+lv7QKAwtKOt6A2W/fyy/aEEfr0g6j/hWzvQcrzHCsz07BNQYlNOjTfeytrtLU7k449H1PI95jA4OjQ==",
+      "cpu": [
+        "x64"
+      ],
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@reflink/reflink-win32-arm64-msvc": {
+      "version": "0.1.19",
+      "resolved": "https://registry.npmjs.org/@reflink/reflink-win32-arm64-msvc/-/reflink-win32-arm64-msvc-0.1.19.tgz",
+      "integrity": "sha512-09PxnVIQcd+UOn4WAW73WU6PXL7DwGS6wPlkMhMg2zlHHG65F3vHepOw06HFCq+N42qkaNAc8AKIabWvtk6cIQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/@reflink/reflink-win32-x64-msvc": {
+      "version": "0.1.19",
+      "resolved": "https://registry.npmjs.org/@reflink/reflink-win32-x64-msvc/-/reflink-win32-x64-msvc-0.1.19.tgz",
+      "integrity": "sha512-E//yT4ni2SyhwP8JRjVGWr3cbnhWDiPLgnQ66qqaanjjnMiu3O/2tjCPQXlcGc/DEYofpDc9fvhv6tALQsMV9w==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/detect-libc": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
+      "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==",
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=8"
+      }
+    }
+  }
+}

src/install-pnpm/bootstrap/pnpm-lock.json

@@ -0,0 +1,30 @@
+{
+  "name": "bootstrap-pnpm",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "dependencies": {
+        "pnpm": "11.0.4"
+      }
+    },
+    "node_modules/pnpm": {
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-11.0.4.tgz",
+      "integrity": "sha512-CjlxZQB6AU7VKRmmHl9GxIubyohATDA+yuzGP2Le9WOJjTxril1epYEes5jP4DqwXaGlzpY/Em1erUwC+TuDww==",
+      "license": "MIT",
+      "bin": {
+        "pn": "bin/pnpm.mjs",
+        "pnpm": "bin/pnpm.mjs",
+        "pnpx": "bin/pnpx.mjs",
+        "pnx": "bin/pnpx.mjs"
+      },
+      "engines": {
+        "node": ">=22.13"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    }
+  }
+}

src/install-pnpm/index.ts

@@ -4,13 +4,15 @@ import runSelfInstaller from './run'
 
 export { runSelfInstaller }
 
-export async function install(inputs: Inputs) {
+export async function install(inputs: Inputs): Promise<string | undefined> {
   startGroup('Running self-installer...')
-  const status = await runSelfInstaller(inputs)
+  const { exitCode, binDest } = await runSelfInstaller(inputs)
   endGroup()
-  if (status) {
-    return setFailed(`Something went wrong, self-installer exits with code ${status}`)
+  if (exitCode) {
+    setFailed(`Something went wrong, self-installer exits with code ${exitCode}`)
+    return undefined
   }
+  return binDest
 }
 
 export default install

src/install-pnpm/run.ts

@@ -1,72 +1,208 @@
 import { addPath, exportVariable } from '@actions/core'
 import { spawn } from 'child_process'
-import { remove, ensureFile, writeFile, readFile } from 'fs-extra'
+import { rm, writeFile, mkdir, symlink } from 'fs/promises'
+import { readFileSync, existsSync } from 'fs'
 import path from 'path'
-import { execPath } from 'process'
+import util from 'util'
 import { Inputs } from '../inputs'
+import { parse as parseYaml } from 'yaml'
+import pnpmLock from './bootstrap/pnpm-lock.json'
+import exeLock from './bootstrap/exe-lock.json'
 
-export async function runSelfInstaller(inputs: Inputs): Promise<number> {
-  const { version, dest, packageJsonFile, standalone } = inputs
+const BOOTSTRAP_PNPM_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { pnpm: pnpmLock.packages['node_modules/pnpm'].version } })
+const BOOTSTRAP_EXE_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { '@pnpm/exe': exeLock.packages['node_modules/@pnpm/exe'].version } })
 
-  // prepare self install
-  await remove(dest)
-  const pkgJson = path.join(dest, 'package.json')
-  await ensureFile(pkgJson)
-  await writeFile(pkgJson, JSON.stringify({ private: true }))
-
-  // prepare target pnpm
-  const target = await readTarget({ version, packageJsonFile, standalone })
-  const cp = spawn(execPath, [path.join(__dirname, 'pnpm.cjs'), 'install', target, '--no-lockfile'], {
-    cwd: dest,
-    stdio: ['pipe', 'inherit', 'inherit'],
-  })
-
-  const exitCode = await new Promise<number>((resolve, reject) => {
-    cp.on('error', reject)
-    cp.on('close', resolve)
-  })
-  if (exitCode === 0) {
-    const pnpmHome = path.join(dest, 'node_modules/.bin')
-    addPath(pnpmHome)
-    exportVariable('PNPM_HOME', pnpmHome)
-  }
-  return exitCode
+export interface SelfInstallerResult {
+  exitCode: number
+  binDest: string
 }
 
-async function readTarget(opts: {
+export async function runSelfInstaller(inputs: Inputs): Promise<SelfInstallerResult> {
+  const { version, dest, packageJsonFile } = inputs
+
+  // pnpm v11 requires Node >= 22.13; use standalone (exe) bootstrap which
+  // bundles its own Node.js when the system Node is too old
+  const systemNode = await getSystemNodeVersion()
+  const standalone = inputs.standalone || systemNode.major < 22 || (systemNode.major === 22 && systemNode.minor < 13)
+
+  // Install bootstrap pnpm via npm (integrity verified by committed lockfile)
+  await rm(dest, { recursive: true, force: true })
+  await mkdir(dest, { recursive: true })
+
+  const lockfile = standalone ? exeLock : pnpmLock
+  const packageJson = standalone ? BOOTSTRAP_EXE_PACKAGE_JSON : BOOTSTRAP_PNPM_PACKAGE_JSON
+  await writeFile(path.join(dest, 'package.json'), packageJson)
+  await writeFile(path.join(dest, 'package-lock.json'), JSON.stringify(lockfile))
+
+  // Append the action's node directory to PATH so npm's
+  // `#!/usr/bin/env node` shebang resolves on runners (e.g. GHE
+  // self-hosted) where node isn't already on PATH. Append (not
+  // prepend) so a user-installed toolchain on PATH — e.g. from a
+  // prior `setup-node` step — keeps precedence; otherwise the
+  // runner-bundled node would shadow it and pair the user's npm
+  // with a mismatched node version. npm itself is resolved via
+  // PATH — on the GitHub Actions runner it is not co-located with
+  // `process.execPath`.
+  const nodeDir = path.dirname(process.execPath)
+  // On Windows, the PATH key casing varies; search case-insensitively.
+  const pathKey = Object.keys(process.env).find(k => k.toUpperCase() === 'PATH') ?? 'PATH'
+  const currentPath = process.env[pathKey]
+  const npmEnv = { ...process.env, [pathKey]: currentPath ? currentPath + path.delimiter + nodeDir : nodeDir }
+  const npmExitCode = await runCommand('npm', ['ci'], { cwd: dest, env: npmEnv })
+  if (npmExitCode !== 0) {
+    return { exitCode: npmExitCode, binDest: path.join(dest, 'node_modules', '.bin') }
+  }
+
+  // On Windows with standalone mode, npm's .bin shims can't properly
+  // execute the extensionless @pnpm/exe native binaries. Add the
+  // @pnpm/exe directory directly to PATH so pnpm.exe is found natively.
+  const pnpmHome = standalone && process.platform === 'win32'
+    ? path.join(dest, 'node_modules', '@pnpm', 'exe')
+    : path.join(dest, 'node_modules', '.bin')
+  // PNPM_HOME/bin is where `pnpm self-update` places the target version
+  // binary. It must have higher PATH precedence than pnpmHome (which
+  // contains the bootstrap binary) so the self-updated version is found
+  // first. The bootstrap pnpm is invoked via absolute path, not PATH,
+  // so this ordering does not affect the bootstrap step.
+  addPath(pnpmHome)
+  addPath(path.join(pnpmHome, 'bin'))
+  exportVariable('PNPM_HOME', pnpmHome)
+
+  // Ensure pnpm bin link exists — npm ci sometimes doesn't create it
+  if (process.platform !== 'win32') {
+    const pnpmBinLink = path.join(dest, 'node_modules', '.bin', 'pnpm')
+    if (!existsSync(pnpmBinLink)) {
+      await mkdir(path.join(dest, 'node_modules', '.bin'), { recursive: true })
+      const target = standalone
+        ? path.join('..', '@pnpm', 'exe', 'pnpm')
+        : path.join('..', 'pnpm', 'bin', 'pnpm.mjs')
+      await symlink(target, pnpmBinLink)
+    }
+  }
+
+  const bootstrapPnpm = standalone
+    ? path.join(dest, 'node_modules', '@pnpm', 'exe', process.platform === 'win32' ? 'pnpm.exe' : 'pnpm')
+    : path.join(dest, 'node_modules', 'pnpm', 'bin', 'pnpm.mjs')
+
+  // Self-update the bootstrap to the requested pnpm version. readTargetVersion
+  // either returns a value or throws, so this always runs.
+  const targetVersion = readTargetVersion({ version, packageJsonFile })
+  const cmd = standalone ? bootstrapPnpm : process.execPath
+  const args = standalone ? ['self-update', targetVersion] : [bootstrapPnpm, 'self-update', targetVersion]
+  const exitCode = await runCommand(cmd, args, { cwd: dest })
+  if (exitCode !== 0) {
+    return { exitCode, binDest: pnpmHome }
+  }
+  // self-update writes the target pnpm/pnpx into PNPM_HOME/bin, leaving
+  // the bootstrap symlinks in pnpmHome pointing at the old version. Use
+  // PNPM_HOME/bin so consumers of the bin_dest output (e.g.
+  // `${steps.pnpm.outputs.bin_dest}/pnpm`) invoke the requested version.
+  //
+  // When the requested version resolves to the bootstrap version, self-update
+  // is a no-op and PNPM_HOME/bin is not created — fall back to pnpmHome,
+  // whose symlinks already point at the right version.
+  const updatedBinDir = path.join(pnpmHome, 'bin')
+  return { exitCode: 0, binDest: existsSync(updatedBinDir) ? updatedBinDir : pnpmHome }
+}
+
+function readTargetVersion(opts: {
   readonly version?: string | undefined
   readonly packageJsonFile: string
-  readonly standalone: boolean
-}) {
-  const { version, packageJsonFile, standalone } = opts
-
-  if (version) return `${ standalone ? '@pnpm/exe' : 'pnpm' }@${version}`
-
+}): string {
+  const { version, packageJsonFile } = opts
   const { GITHUB_WORKSPACE } = process.env
+
+  let packageManager: string | undefined
+  let devEngines: { packageManager?: { name?: string; version?: string } } | undefined
+
+  if (GITHUB_WORKSPACE) {
+    try {
+      const content = readFileSync(path.join(GITHUB_WORKSPACE, packageJsonFile), 'utf8');
+      const manifest = packageJsonFile.endsWith(".yaml")
+        ? parseYaml(content, { merge: true })
+        : JSON.parse(content)
+      packageManager = manifest.packageManager
+      devEngines = manifest.devEngines
+    } catch (error: unknown) {
+      // Swallow error if package.json doesn't exist in root
+      if (!util.types.isNativeError(error) || !('code' in error) || error.code !== 'ENOENT') throw error
+    }
+  }
+
+  // packageManager is always exact `pnpm@<version>[+<integrity>]` per spec.
+  // Strip the integrity hash for self-update.
+  const packageManagerVersion =
+    typeof packageManager === 'string' && packageManager.startsWith('pnpm@')
+      ? packageManager.slice('pnpm@'.length).split('+')[0]
+      : undefined
+
+  if (version) {
+    if (packageManagerVersion && packageManagerVersion !== version) {
+      throw new Error(`Multiple versions of pnpm specified:
+  - version ${version} in the GitHub Action config with the key "version"
+  - version ${packageManager} in the package.json with the key "packageManager"
+Remove one of these versions to avoid version mismatch errors like ERR_PNPM_BAD_PM_VERSION`)
+    }
+
+    return version
+  }
+
+  // Self-update the bootstrap pnpm to the version pinned in package.json so
+  // PATH-resolved `pnpm` (and the bin_dest output) reflect the target
+  // version. Without this, `pnpm store path` runs as the bootstrap and
+  // reports a different STORE_VERSION than the one the user's actual
+  // install writes to — breaking cache: true and actions/setup-node's
+  // `cache: pnpm` on cold caches (issue #233).
+  //
+  // devEngines.packageManager takes priority over packageManager, matching
+  // pnpm's getWantedPackageManager logic. `pnpm self-update` accepts both
+  // exact versions and semver ranges, so we pass either through directly.
+  if (devEngines?.packageManager?.name === 'pnpm' && devEngines.packageManager.version) {
+    return devEngines.packageManager.version
+  }
+
+  if (packageManagerVersion) {
+    return packageManagerVersion
+  }
+
   if (!GITHUB_WORKSPACE) {
     throw new Error(`No workspace is found.
-If you're intended to let pnpm/action-setup read preferred pnpm version from the "packageManager" field in the package.json file,
+If you've intended to let pnpm/action-setup read preferred pnpm version from the "packageManager" field in the package.json file,
 please run the actions/checkout before pnpm/action-setup.
 Otherwise, please specify the pnpm version in the action configuration.`)
   }
 
-  const { packageManager } = JSON.parse(await readFile(path.join(GITHUB_WORKSPACE, packageJsonFile), 'utf8'))
-  if (typeof packageManager !== 'string') {
   throw new Error(`No pnpm version is specified.
 Please specify it by one of the following ways:
   - in the GitHub Action config with the key "version"
-  - in the package.json with the key "packageManager"`)
-  }
+  - in the package.json with the key "packageManager"
+  - in the package.json with the key "devEngines.packageManager"`)
+}
 
-  if (!packageManager.startsWith('pnpm@')) {
-    throw new Error('Invalid packageManager field in package.json')
-  }
+function getSystemNodeVersion(): Promise<{ major: number; minor: number }> {
+  return new Promise((resolve) => {
+    const cp = spawn('node', ['--version'], { stdio: ['pipe', 'pipe', 'pipe'], shell: process.platform === 'win32' })
+    let output = ''
+    cp.stdout.on('data', (data: Buffer) => { output += data.toString() })
+    cp.on('close', () => {
+      const match = output.match(/^v(\d+)\.(\d+)/)
+      resolve(match ? { major: parseInt(match[1], 10), minor: parseInt(match[2], 10) } : { major: 0, minor: 0 })
+    })
+    cp.on('error', () => resolve({ major: 0, minor: 0 }))
+  })
+}
 
-  if(standalone){
-    return packageManager.replace('pnpm@', '@pnpm/exe@')
-  }
-
-  return packageManager
+function runCommand(cmd: string, args: string[], opts: { cwd: string; env?: Record<string, string | undefined> }): Promise<number> {
+  return new Promise<number>((resolve, reject) => {
+    const cp = spawn(cmd, args, {
+      cwd: opts.cwd,
+      env: opts.env,
+      stdio: ['pipe', 'inherit', 'inherit'],
+      shell: process.platform === 'win32',
+    })
+    cp.on('error', reject)
+    cp.on('close', resolve)
+  })
 }
 
 export default runSelfInstaller

src/outputs/index.ts

@@ -1,10 +1,9 @@
-import { setOutput, addPath } from '@actions/core'
+import { setOutput } from '@actions/core'
 import { Inputs } from '../inputs'
-import { getBinDest } from '../utils'
 
-export function setOutputs(inputs: Inputs) {
-  const binDest = getBinDest(inputs)
-  addPath(binDest)
+export function setOutputs(inputs: Inputs, binDest: string) {
+  // NOTE: addPath is already called in installPnpm — do not call it again
+  // here, as a second addPath would shadow the correct entry on Windows.
   setOutput('dest', inputs.dest)
   setOutput('bin_dest', binDest)
 }

src/pnpm-install/index.ts

@@ -1,11 +1,8 @@
 import { setFailed, startGroup, endGroup } from '@actions/core'
 import { spawnSync } from 'child_process'
 import { Inputs } from '../inputs'
-import { patchPnpmEnv } from '../utils'
 
 export function runPnpmInstall(inputs: Inputs) {
-  const env = patchPnpmEnv(inputs)
-
   for (const options of inputs.runInstall) {
     const args = ['install']
     if (options.recursive) args.unshift('recursive')
@@ -14,11 +11,16 @@ export function runPnpmInstall(inputs: Inputs) {
     const cmdStr = ['pnpm', ...args].join(' ')
     startGroup(`Running ${cmdStr}...`)
 
+    // spawnSync inherits process.env, which already has $PNPM_HOME/bin and
+    // $PNPM_HOME prepended via addPath() in install-pnpm. Do NOT pass a
+    // hand-patched env that adds node_modules/.bin to the front — on
+    // Windows standalone, .bin/pnpm.cmd is an npm shim pointing at the
+    // BOOTSTRAP pnpm, which would shadow the self-updated one and break
+    // newer-pnpm-only behavior.
     const { error, status } = spawnSync('pnpm', args, {
       stdio: 'inherit',
       cwd: options.cwd,
       shell: true,
-      env,
     })
 
     endGroup()

src/pnpm-store-prune/index.ts

@@ -1,7 +1,6 @@
 import { warning, startGroup, endGroup } from '@actions/core'
 import { spawnSync } from 'child_process'
 import { Inputs } from '../inputs'
-import { patchPnpmEnv } from '../utils'
 
 export function pruneStore(inputs: Inputs) {
   if (inputs.runInstall.length === 0) {
@@ -10,10 +9,11 @@ export function pruneStore(inputs: Inputs) {
   }
 
   startGroup('Running pnpm store prune...')
+  // spawnSync inherits process.env (which has the right PATH from addPath
+  // in install-pnpm). See pnpm-install/index.ts for the rationale.
   const { error, status } = spawnSync('pnpm', ['store', 'prune'], {
     stdio: 'inherit',
     shell: true,
-    env: patchPnpmEnv(inputs),
   })
   endGroup()
 

src/utils/index.ts

@@ -1,10 +0,0 @@
-import path from 'path'
-import process from 'process'
-import { Inputs } from '../inputs'
-
-export const getBinDest = (inputs: Inputs): string => path.join(inputs.dest, 'node_modules', '.bin')
-
-export const patchPnpmEnv = (inputs: Inputs): NodeJS.ProcessEnv => ({
-  ...process.env,
-  PATH: getBinDest(inputs) + path.delimiter + process.env.PATH,
-})

tsconfig.json

@@ -1,26 +1,19 @@
-
 {
   "compilerOptions": {
     "target": "ES2022",
-    "module": "Node16",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
     "resolveJsonModule": true,
     "lib": [
       "ES2023"
     ],
-    "outDir": "./dist/tsc",
-    "preserveConstEnums": true,
-    "incremental": false,
-    "declaration": true,
-    "sourceMap": true,
-    "importHelpers": false,
+    "noEmit": true,
     "strict": true,
     "pretty": true,
     "noUnusedLocals": true,
     "noUnusedParameters": true,
     "noImplicitReturns": true,
     "noFallthroughCasesInSwitch": true,
-    "esModuleInterop": true,
-    "experimentalDecorators": true,
-    "emitDecoratorMetadata": true
+    "esModuleInterop": true
   }
 }