fix: update bundle

`patchPnpmEnv` prepended `dest/node_modules/.bin` to PATH before
spawning `pnpm install` / `pnpm store prune`. On Windows in standalone
mode, `.bin/pnpm.cmd` is an npm-created shim that always points at the
BOOTSTRAP pnpm (currently 11.0.4) — the binary npm linked when it
installed `@pnpm/exe` into `node_modules`. The self-updated pnpm
written by `pnpm self-update` lives at `$PNPM_HOME/bin`, which is
separately added to PATH via `addPath()` in install-pnpm.

When the user requested a pnpm version different from the bootstrap
under `standalone: true` on Windows, patchPnpmEnv's `.bin` entry
shadowed the self-updated `$PNPM_HOME/bin` and the action's internal
`pnpm install` ran on the bootstrap. On a pnpm 11.0.x bootstrap this
broke any 11.1+ install flag (e.g. `--no-runtime`), reporting:

    ERROR  Unknown option: 'runtime'

POSIX standalone got lucky because `.bin` and `$PNPM_HOME` resolve to
the same directory there. Non-standalone never tripped on this since
the `.bin/pnpm` symlink for a regular `pnpm` package keeps working
across self-updates.

Removed `patchPnpmEnv` and the now-empty `src/utils/` module.
`spawnSync` now inherits `process.env`, whose PATH is already
correctly fronted by `$PNPM_HOME/bin` and `$PNPM_HOME` via the
`addPath` calls in install-pnpm.

Added `standalone_windows_self_update` to test.yaml as a regression
guard: standalone on Windows + target 11.1.0 + `run_install` with
`--no-runtime`. With the previous code, the install would have run
under the bootstrap (11.0.4) and errored on the unknown flag.

Originally found while building pnpm/setup (the new combined
pnpm + runtime action).

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @zkochan

.github/workflows/test.yaml

@@ -194,6 +194,102 @@ jobs:
           pnpm add is-odd
         shell: bash
 
+  standalone_windows_self_update:
+    # Regression guard for the patchPnpmEnv PATH-shadow bug. When
+    # standalone: true on Windows AND the requested pnpm differs from the
+    # bootstrap, the previous patchPnpmEnv prepended node_modules/.bin to
+    # PATH; that directory contains an npm-created pnpm.cmd shim pointing
+    # at the BOOTSTRAP pnpm, which shadowed the self-updated pnpm at
+    # $PNPM_HOME/bin and caused `pnpm install` inside the action to run
+    # under the bootstrap version. Exercising a newer-pnpm-only flag
+    # (`--no-runtime`, added in 11.1.0) makes the regression assertable:
+    # if the bootstrap (11.0.4) handles the install, it errors with
+    # "Unknown option: 'runtime'".
+    name: 'Standalone Windows self-update (PATH regression)'
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Set up package.json with a minimal manifest
+        # run_install needs a manifest to install against. Removing the
+        # repo's existing pnpm-lock.yaml avoids frozen-lockfile mismatch.
+        run: |
+          rm -f pnpm-lock.yaml
+          echo '{"name":"sw","private":true,"packageManager":"pnpm@11.1.0"}' > package.json
+        shell: bash
+
+      - name: Run the action
+        uses: ./
+        with:
+          version: 11.1.0
+          standalone: true
+          run_install: |
+            args: ['--no-runtime']
+
+      - name: 'Test: pnpm install completed under the self-updated pnpm'
+        # If the bug recurs, the previous step's run_install will have failed
+        # the job with "Unknown option: 'runtime'", so reaching this step
+        # implies success. Still verify the version on PATH matches request.
+        env:
+          REQUIRED: '11.1.0'
+        run: |
+          set -e
+          actual="$(pnpm --version)"
+          echo "pnpm --version: ${actual}"
+          if [ "${actual}" != "${REQUIRED}" ]; then
+            echo "Expected pnpm ${REQUIRED}, got ${actual}"
+            exit 1
+          fi
+        shell: bash
+
+  cache_store_path:
+    # Regression guard for #233. When package.json pins a pnpm major that
+    # differs from the bootstrap pnpm's major, the bootstrap reports its
+    # own STORE_VERSION from `pnpm store path` (the `store` command skips
+    # pnpm's auto-switch). The user's actual `pnpm install` runs under the
+    # pinned version and writes to a different STORE_VERSION, so the post
+    # step's saveCache then fails with "Path Validation Error". The fix is
+    # to self-update the bootstrap to the pinned version up front.
+    name: 'Cache store path matches install (#233): ${{ matrix.label }}'
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - label: 'packageManager pnpm@10.33.0'
+            manifest: '{"packageManager":"pnpm@10.33.0","dependencies":{"is-odd":"3.0.1"}}'
+          - label: 'devEngines exact pnpm@10.33.0'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":"10.33.0"}},"dependencies":{"is-odd":"3.0.1"}}'
+          - label: 'devEngines range >=10 <11'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":">=10 <11"}},"dependencies":{"is-odd":"3.0.1"}}'
+
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Set up package.json
+        run: echo '${{ matrix.manifest }}' > package.json
+        shell: bash
+
+      - id: pnpm
+        uses: ./
+        with:
+          cache: true
+          run_install: |
+            - args: [--no-frozen-lockfile]
+
+      - name: 'Test: store path computed by the action exists on disk'
+        run: |
+          set -e
+          actual="$(pnpm store path --silent)"
+          echo "pnpm store path: ${actual}"
+          if [ ! -d "${actual}" ]; then
+            echo "Expected store path to exist on disk; cache save would fail"
+            exit 1
+          fi
+        shell: bash
+
   run_install:
     name: 'run_install (${{ matrix.run_install.name }})'
 

README.md

@@ -48,7 +48,7 @@ If `run_install` is a YAML string representation of either an object or an array
 
 ### `cache_dependency_path`
 
-**Optional** (_type:_ `string|string[]`, _default:_ `pnpm-lock.yaml`) File path to the pnpm lockfile, which contents hash will be used as a cache key.
+**Optional** (_type:_ `string`, _default:_ `pnpm-lock.yaml`) File path to the pnpm lockfile, whose contents hash will be used as a cache key. Accepts multiple paths delimited by newlines.
 
 ### `package_json_file`
 
@@ -158,6 +158,33 @@ jobs:
 
 **Note:** You don't need to run `pnpm store prune` at the end; post-action has already taken care of that.
 
+### Cache dependencies from multiple lockfiles
+
+```yaml
+on:
+  - push
+  - pull_request
+
+jobs:
+  cache-and-install-multiple:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - uses: pnpm/action-setup@v6
+        with:
+          version: 10
+          cache: true
+          cache_dependency_path: |
+            one/pnpm-lock.yaml
+            two/pnpm-lock.yaml
+          run_install: |
+            - cwd: one
+            - cwd: two
+```
+
 ## Notes
 
 This action does not setup Node.js for you, use [actions/setup-node](https://github.com/actions/setup-node) yourself.

action.yml

@@ -20,7 +20,7 @@ inputs:
     required: false
     default: 'false'
   cache_dependency_path:
-    description: File path to the pnpm lockfile, which contents hash will be used as a cache key
+    description: File path to the pnpm lockfile, whose contents hash will be used as a cache key. Accepts multiple paths delimited by newlines.
     required: false
     default: 'pnpm-lock.yaml'
   package_json_file:

src/index.ts

@@ -8,16 +8,16 @@ import pnpmInstall from './pnpm-install'
 import pruneStore from './pnpm-store-prune'
 
 async function main() {
-  const inputs = getInputs()
-
   if (getState('is_post') === 'true') {
-    await runPost(inputs)
+    await runPost()
   } else {
-    await runMain(inputs)
+    await runMain()
   }
 }
 
-async function runMain(inputs: Inputs) {
+async function runMain() {
+  const inputs = getInputs()
+  saveState('inputs', inputs)
   saveState('is_post', 'true')
 
   const binDest = await installPnpm(inputs)
@@ -30,7 +30,8 @@ async function runMain(inputs: Inputs) {
   pnpmInstall(inputs)
 }
 
-async function runPost(inputs: Inputs) {
+async function runPost() {
+  const inputs = JSON.parse(getState('inputs')) as Inputs
   pruneStore(inputs)
   await saveCache(inputs)
 }

src/install-pnpm/bootstrap/exe-lock.json

@@ -5,13 +5,13 @@
   "packages": {
     "": {
       "dependencies": {
-        "@pnpm/exe": "11.0.4"
+        "@pnpm/exe": "11.1.1"
       }
     },
     "node_modules/@pnpm/exe": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/exe/-/exe-11.0.4.tgz",
-      "integrity": "sha512-3OwYqbbj1KtuUqoMo5OEkY8nU/WutZ7L5ADFl0bbW9oyqU55U37aDqA3NJNSk28CyszNARfrjerAF2DW2TsV7w==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/exe/-/exe-11.1.1.tgz",
+      "integrity": "sha512-5mQnDW1NCBRRWA+cnGhQO+tIrfSfWm3/IyGxU88LnT+tzNW5UrwwKfjsnnYJToyAjIfdfEJtJKUxCvP+mhA+nQ==",
       "hasInstallScript": true,
       "license": "MIT",
       "dependencies": {
@@ -28,20 +28,19 @@
         "url": "https://opencollective.com/pnpm"
       },
       "optionalDependencies": {
-        "@pnpm/linux-arm64": "11.0.4",
-        "@pnpm/linux-x64": "11.0.4",
-        "@pnpm/linuxstatic-arm64": "11.0.4",
-        "@pnpm/linuxstatic-x64": "11.0.4",
-        "@pnpm/macos-arm64": "11.0.4",
-        "@pnpm/macos-x64": "11.0.4",
-        "@pnpm/win-arm64": "11.0.4",
-        "@pnpm/win-x64": "11.0.4"
+        "@pnpm/linux-arm64": "11.1.1",
+        "@pnpm/linux-x64": "11.1.1",
+        "@pnpm/linuxstatic-arm64": "11.1.1",
+        "@pnpm/linuxstatic-x64": "11.1.1",
+        "@pnpm/macos-arm64": "11.1.1",
+        "@pnpm/win-arm64": "11.1.1",
+        "@pnpm/win-x64": "11.1.1"
       }
     },
     "node_modules/@pnpm/linux-arm64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/linux-arm64/-/linux-arm64-11.0.4.tgz",
-      "integrity": "sha512-Bz7V2sFypoGHX/t5w/w7jnCw5DCK3C8s5q8whHJJ3iS5kRznX3Q1F4LwSjjy+lsi777fHyNIvD7qtNmdt9IKoA==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-arm64/-/linux-arm64-11.1.1.tgz",
+      "integrity": "sha512-u9hs51XV0/gU5LLfNLoQsozGKIxNjxsh/0xPr+8Hny0M38psa4lBtwFvarL2bLToPIrtueQYi65LdlzRxITRyg==",
       "cpu": [
         "arm64"
       ],
@@ -55,9 +54,9 @@
       }
     },
     "node_modules/@pnpm/linux-x64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/linux-x64/-/linux-x64-11.0.4.tgz",
-      "integrity": "sha512-u0Yn1gytR1vKdPk6fYF500H8ZWQlj0cTuIQPp+5GYVPkMmA5bSw41RNIDPBfjDlE8ERmQWaQcrgmTcmTZ+n22A==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-x64/-/linux-x64-11.1.1.tgz",
+      "integrity": "sha512-yQO9i57oyJmIG22BjV7sqLUT2syKQohiku8yNZRgp7M6wsVkikpVLLVSpBifQnrI/P/roueKnWSUEESH1aPaoA==",
       "cpu": [
         "x64"
       ],
@@ -71,9 +70,9 @@
       }
     },
     "node_modules/@pnpm/linuxstatic-arm64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-arm64/-/linuxstatic-arm64-11.0.4.tgz",
-      "integrity": "sha512-0aitEcfhWNXNZhfJGt/kJaRvfcdtJzXZpV+toJN94kfawSJnhuawfnUSXMi/3m0G97HkJc7BH8rOz3sojUKt0g==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-arm64/-/linuxstatic-arm64-11.1.1.tgz",
+      "integrity": "sha512-FUZB8L9Z8L5m88G0RTx5AsHFr5yUQPW+28zQdTNUWxiLwj11FW/fOLodYdcNYHdNJFepsZyqt3aRnpiqIdZb2g==",
       "cpu": [
         "arm64"
       ],
@@ -90,9 +89,9 @@
       }
     },
     "node_modules/@pnpm/linuxstatic-x64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-x64/-/linuxstatic-x64-11.0.4.tgz",
-      "integrity": "sha512-xDJdeJ7D2YvDBy2/IH9lEqMKiSuZiV8190XKWOgQgxUGGeuW4z3j6Ewpl0S5bXsWuNjAgC+uCKp7Qp3P7cXAvw==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-x64/-/linuxstatic-x64-11.1.1.tgz",
+      "integrity": "sha512-I/z56hfa1zM5F/Unup/1NrgsA+dcptsKQ2TjJLFz3wHKDx0RLrfF7DB0Rkpnr5IoAZ33v0GFZjlGhkOtc9VFGw==",
       "cpu": [
         "x64"
       ],
@@ -109,9 +108,9 @@
       }
     },
     "node_modules/@pnpm/macos-arm64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/macos-arm64/-/macos-arm64-11.0.4.tgz",
-      "integrity": "sha512-dNR69jUARtGFuyyLE9VuyxhRUKC8MO/7/xIyAdeIMZAD5ej0Y/Ct0DYCa/FLbgFL1nXaXmp4+gRMfJBkkrKfQQ==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-arm64/-/macos-arm64-11.1.1.tgz",
+      "integrity": "sha512-YQu6fC27F4jTIpXhF+4PdzOV7uSnVVG9KUxj5W+AFj0XFlUvBw+I1NsoPCY6uV1nccxWpIAZOTZtSj8+hWPb8w==",
       "cpu": [
         "arm64"
       ],
@@ -124,26 +123,10 @@
         "url": "https://opencollective.com/pnpm"
       }
     },
-    "node_modules/@pnpm/macos-x64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/macos-x64/-/macos-x64-11.0.4.tgz",
-      "integrity": "sha512-RfyrxSBajeEU16dZsgFjbdagDV9F4HNCJfbBgm8IbGjL0+J95naM/VmCDLd6S3+1tISeI2MxtcyCxqjKJsD/BA==",
-      "cpu": [
-        "x64"
-      ],
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "funding": {
-        "url": "https://opencollective.com/pnpm"
-      }
-    },
     "node_modules/@pnpm/win-arm64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/win-arm64/-/win-arm64-11.0.4.tgz",
-      "integrity": "sha512-fOQEv8b9KxZlUAxPPXSQQUUIrt2nY24Qwd4RzCPpatacBnsE4JIadlr/B4V5z2zFxmV7FdHr7nYUhv2RqTlY/w==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-arm64/-/win-arm64-11.1.1.tgz",
+      "integrity": "sha512-2HvZut3IcKPxzIfOjBJ4677PaLIh57mWccL86O+q71QhO5emnQvht0CE19IoEyUIOEe1WjlN+Su/dD5k6CuGyg==",
       "cpu": [
         "arm64"
       ],
@@ -157,9 +140,9 @@
       }
     },
     "node_modules/@pnpm/win-x64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/win-x64/-/win-x64-11.0.4.tgz",
-      "integrity": "sha512-pErHAV8m3NZuPSeCmH3senTSHX0nwkH5lLzQSpiFuyt08hq8sqL3jDymT4ri9N7ixPN9RFZghZIiT3h+Croaew==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-x64/-/win-x64-11.1.1.tgz",
+      "integrity": "sha512-QXBIBErgPhGLovOVzTRIpHsejFKebyqlcF3fea/TfH87gkhN5yWH0WuTPRBoOWvpk6aNhjDW4RPUMx8RaPqxjw==",
       "cpu": [
         "x64"
       ],

src/install-pnpm/bootstrap/pnpm-lock.json

@@ -5,13 +5,13 @@
   "packages": {
     "": {
       "dependencies": {
-        "pnpm": "11.0.4"
+        "pnpm": "11.1.1"
       }
     },
     "node_modules/pnpm": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-11.0.4.tgz",
-      "integrity": "sha512-CjlxZQB6AU7VKRmmHl9GxIubyohATDA+yuzGP2Le9WOJjTxril1epYEes5jP4DqwXaGlzpY/Em1erUwC+TuDww==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-11.1.1.tgz",
+      "integrity": "sha512-0f319zxhe2T6GlaoHDyN/g6WbjOmAQqiVrUXrne+Idk+Ba/8DeGoOw5PKdVp9otEaujwaM1yR8C7PfD7TXvfmg==",
       "license": "MIT",
       "bin": {
         "pn": "bin/pnpm.mjs",

src/install-pnpm/run.ts

@@ -84,37 +84,31 @@ export async function runSelfInstaller(inputs: Inputs): Promise<SelfInstallerRes
     ? path.join(dest, 'node_modules', '@pnpm', 'exe', process.platform === 'win32' ? 'pnpm.exe' : 'pnpm')
     : path.join(dest, 'node_modules', 'pnpm', 'bin', 'pnpm.mjs')
 
-  // Determine the target version
+  // Self-update the bootstrap to the requested pnpm version. readTargetVersion
+  // either returns a value or throws, so this always runs.
   const targetVersion = readTargetVersion({ version, packageJsonFile })
-
-  if (targetVersion) {
-    const cmd = standalone ? bootstrapPnpm : process.execPath
-    const args = standalone ? ['self-update', targetVersion] : [bootstrapPnpm, 'self-update', targetVersion]
-    const exitCode = await runCommand(cmd, args, { cwd: dest })
-    if (exitCode !== 0) {
-      return { exitCode, binDest: pnpmHome }
-    }
-    // self-update writes the target pnpm/pnpx into PNPM_HOME/bin, leaving
-    // the bootstrap symlinks in pnpmHome pointing at the old version. Use
-    // PNPM_HOME/bin so consumers of the bin_dest output (e.g.
-    // `${steps.pnpm.outputs.bin_dest}/pnpm`) invoke the requested version.
-    return { exitCode: 0, binDest: path.join(pnpmHome, 'bin') }
+  const cmd = standalone ? bootstrapPnpm : process.execPath
+  const args = standalone ? ['self-update', targetVersion] : [bootstrapPnpm, 'self-update', targetVersion]
+  const exitCode = await runCommand(cmd, args, { cwd: dest })
+  if (exitCode !== 0) {
+    return { exitCode, binDest: pnpmHome }
   }
-
-  // No explicit target version: rely on the bootstrap pnpm to switch to
-  // the version declared in packageManager/devEngines at runtime. Force
-  // `pmOnFail=download` so a project that pins
-  // `devEngines.packageManager.onFail = "error"` doesn't trip BAD_PM_VERSION
-  // before the switch can happen (issue #252). Scoped to this branch so users
-  // who pass an explicit `version:` input keep strict onFail behavior.
-  exportVariable('pnpm_config_pm_on_fail', 'download')
-  return { exitCode: 0, binDest: pnpmHome }
+  // self-update writes the target pnpm/pnpx into PNPM_HOME/bin, leaving
+  // the bootstrap symlinks in pnpmHome pointing at the old version. Use
+  // PNPM_HOME/bin so consumers of the bin_dest output (e.g.
+  // `${steps.pnpm.outputs.bin_dest}/pnpm`) invoke the requested version.
+  //
+  // When the requested version resolves to the bootstrap version, self-update
+  // is a no-op and PNPM_HOME/bin is not created — fall back to pnpmHome,
+  // whose symlinks already point at the right version.
+  const updatedBinDir = path.join(pnpmHome, 'bin')
+  return { exitCode: 0, binDest: existsSync(updatedBinDir) ? updatedBinDir : pnpmHome }
 }
 
 function readTargetVersion(opts: {
   readonly version?: string | undefined
   readonly packageJsonFile: string
-}): string | undefined {
+}): string {
   const { version, packageJsonFile } = opts
   const { GITHUB_WORKSPACE } = process.env
 
@@ -135,12 +129,15 @@ function readTargetVersion(opts: {
     }
   }
 
+  // packageManager is always exact `pnpm@<version>[+<integrity>]` per spec.
+  // Strip the integrity hash for self-update.
+  const packageManagerVersion =
+    typeof packageManager === 'string' && packageManager.startsWith('pnpm@')
+      ? packageManager.slice('pnpm@'.length).split('+')[0]
+      : undefined
+
   if (version) {
-    if (
-      typeof packageManager === 'string' &&
-      packageManager.startsWith('pnpm@') &&
-      packageManager.replace('pnpm@', '') !== version
-    ) {
+    if (packageManagerVersion && packageManagerVersion !== version) {
       throw new Error(`Multiple versions of pnpm specified:
   - version ${version} in the GitHub Action config with the key "version"
   - version ${packageManager} in the package.json with the key "packageManager"
@@ -150,13 +147,22 @@ Remove one of these versions to avoid version mismatch errors like ERR_PNPM_BAD_
     return version
   }
 
-  // pnpm will automatically download and switch to the right version
-  if (typeof packageManager === 'string' && packageManager.startsWith('pnpm@')) {
-    return undefined
+  // Self-update the bootstrap pnpm to the version pinned in package.json so
+  // PATH-resolved `pnpm` (and the bin_dest output) reflect the target
+  // version. Without this, `pnpm store path` runs as the bootstrap and
+  // reports a different STORE_VERSION than the one the user's actual
+  // install writes to — breaking cache: true and actions/setup-node's
+  // `cache: pnpm` on cold caches (issue #233).
+  //
+  // devEngines.packageManager takes priority over packageManager, matching
+  // pnpm's getWantedPackageManager logic. `pnpm self-update` accepts both
+  // exact versions and semver ranges, so we pass either through directly.
+  if (devEngines?.packageManager?.name === 'pnpm' && devEngines.packageManager.version) {
+    return devEngines.packageManager.version
   }
 
-  if (devEngines?.packageManager?.name === 'pnpm' && devEngines.packageManager.version) {
-    return undefined
+  if (packageManagerVersion) {
+    return packageManagerVersion
   }
 
   if (!GITHUB_WORKSPACE) {

src/pnpm-install/index.ts

@@ -1,11 +1,8 @@
 import { setFailed, startGroup, endGroup } from '@actions/core'
 import { spawnSync } from 'child_process'
 import { Inputs } from '../inputs'
-import { patchPnpmEnv } from '../utils'
 
 export function runPnpmInstall(inputs: Inputs) {
-  const env = patchPnpmEnv(inputs)
-
   for (const options of inputs.runInstall) {
     const args = ['install']
     if (options.recursive) args.unshift('recursive')
@@ -14,11 +11,16 @@ export function runPnpmInstall(inputs: Inputs) {
     const cmdStr = ['pnpm', ...args].join(' ')
     startGroup(`Running ${cmdStr}...`)
 
+    // spawnSync inherits process.env, which already has $PNPM_HOME/bin and
+    // $PNPM_HOME prepended via addPath() in install-pnpm. Do NOT pass a
+    // hand-patched env that adds node_modules/.bin to the front — on
+    // Windows standalone, .bin/pnpm.cmd is an npm shim pointing at the
+    // BOOTSTRAP pnpm, which would shadow the self-updated one and break
+    // newer-pnpm-only behavior.
     const { error, status } = spawnSync('pnpm', args, {
       stdio: 'inherit',
       cwd: options.cwd,
       shell: true,
-      env,
     })
 
     endGroup()

src/pnpm-store-prune/index.ts

@@ -1,7 +1,6 @@
 import { warning, startGroup, endGroup } from '@actions/core'
 import { spawnSync } from 'child_process'
 import { Inputs } from '../inputs'
-import { patchPnpmEnv } from '../utils'
 
 export function pruneStore(inputs: Inputs) {
   if (inputs.runInstall.length === 0) {
@@ -10,10 +9,11 @@ export function pruneStore(inputs: Inputs) {
   }
 
   startGroup('Running pnpm store prune...')
+  // spawnSync inherits process.env (which has the right PATH from addPath
+  // in install-pnpm). See pnpm-install/index.ts for the rationale.
   const { error, status } = spawnSync('pnpm', ['store', 'prune'], {
     stdio: 'inherit',
     shell: true,
-    env: patchPnpmEnv(inputs),
   })
   endGroup()
 

src/utils/index.ts

@@ -1,10 +0,0 @@
-import path from 'path'
-import process from 'process'
-import { Inputs } from '../inputs'
-
-export const getBinDest = (inputs: Inputs): string => path.join(inputs.dest, 'node_modules', '.bin')
-
-export const patchPnpmEnv = (inputs: Inputs): NodeJS.ProcessEnv => ({
-  ...process.env,
-  PATH: path.join(getBinDest(inputs), 'bin') + path.delimiter + getBinDest(inputs) + path.delimiter + process.env.PATH,
-})