fix: self-update accepts ranges; drop exact-semver gate

`pnpm self-update` resolves semver ranges to a specific version, so
`devEngines.packageManager.version: ">=10 <11"` can also go through
the self-update path. That makes readTargetVersion total — it always
returns a string or throws — so the runtime auto-switch fallback (and
the `pnpm_config_pm_on_fail=download` export from #252) is no longer
reachable and gets removed.

Adds a range case to the cache_store_path matrix.

.github/workflows/test.yaml

@@ -194,54 +194,6 @@ jobs:
           pnpm add is-odd
         shell: bash
 
-  standalone_windows_self_update:
-    # Regression guard for the patchPnpmEnv PATH-shadow bug. When
-    # standalone: true on Windows AND the requested pnpm differs from the
-    # bootstrap, the previous patchPnpmEnv prepended node_modules/.bin to
-    # PATH; that directory contains an npm-created pnpm.cmd shim pointing
-    # at the BOOTSTRAP pnpm, which shadowed the self-updated pnpm at
-    # $PNPM_HOME/bin and caused `pnpm install` inside the action to run
-    # under the bootstrap version. Exercising a newer-pnpm-only flag
-    # (`--no-runtime`, added in 11.1.0) makes the regression assertable:
-    # if the bootstrap (11.0.4) handles the install, it errors with
-    # "Unknown option: 'runtime'".
-    name: 'Standalone Windows self-update (PATH regression)'
-    runs-on: windows-latest
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-
-      - name: Set up package.json with a minimal manifest
-        # run_install needs a manifest to install against. Removing the
-        # repo's existing pnpm-lock.yaml avoids frozen-lockfile mismatch.
-        run: |
-          rm -f pnpm-lock.yaml
-          echo '{"name":"sw","private":true,"packageManager":"pnpm@11.1.0"}' > package.json
-        shell: bash
-
-      - name: Run the action
-        uses: ./
-        with:
-          version: 11.1.0
-          standalone: true
-          run_install: |
-            args: ['--no-runtime']
-
-      - name: 'Test: pnpm install completed under the self-updated pnpm'
-        # If the bug recurs, the previous step's run_install will have failed
-        # the job with "Unknown option: 'runtime'", so reaching this step
-        # implies success. Still verify the version on PATH matches request.
-        env:
-          REQUIRED: '11.1.0'
-        run: |
-          set -e
-          actual="$(pnpm --version)"
-          echo "pnpm --version: ${actual}"
-          if [ "${actual}" != "${REQUIRED}" ]; then
-            echo "Expected pnpm ${REQUIRED}, got ${actual}"
-            exit 1
-          fi
-        shell: bash
-
   cache_store_path:
     # Regression guard for #233. When package.json pins a pnpm major that
     # differs from the bootstrap pnpm's major, the bootstrap reports its

README.md

@@ -48,7 +48,7 @@ If `run_install` is a YAML string representation of either an object or an array
 
 ### `cache_dependency_path`
 
-**Optional** (_type:_ `string`, _default:_ `pnpm-lock.yaml`) File path to the pnpm lockfile, whose contents hash will be used as a cache key. Accepts multiple paths delimited by newlines.
+**Optional** (_type:_ `string|string[]`, _default:_ `pnpm-lock.yaml`) File path to the pnpm lockfile, which contents hash will be used as a cache key.
 
 ### `package_json_file`
 
@@ -158,33 +158,6 @@ jobs:
 
 **Note:** You don't need to run `pnpm store prune` at the end; post-action has already taken care of that.
 
-### Cache dependencies from multiple lockfiles
-
-```yaml
-on:
-  - push
-  - pull_request
-
-jobs:
-  cache-and-install-multiple:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - uses: pnpm/action-setup@v6
-        with:
-          version: 10
-          cache: true
-          cache_dependency_path: |
-            one/pnpm-lock.yaml
-            two/pnpm-lock.yaml
-          run_install: |
-            - cwd: one
-            - cwd: two
-```
-
 ## Notes
 
 This action does not setup Node.js for you, use [actions/setup-node](https://github.com/actions/setup-node) yourself.

action.yml

@@ -20,7 +20,7 @@ inputs:
     required: false
     default: 'false'
   cache_dependency_path:
-    description: File path to the pnpm lockfile, whose contents hash will be used as a cache key. Accepts multiple paths delimited by newlines.
+    description: File path to the pnpm lockfile, which contents hash will be used as a cache key
     required: false
     default: 'pnpm-lock.yaml'
   package_json_file:

src/install-pnpm/bootstrap/exe-lock.json

@@ -5,13 +5,13 @@
   "packages": {
     "": {
       "dependencies": {
-        "@pnpm/exe": "11.1.1"
+        "@pnpm/exe": "11.0.4"
       }
     },
     "node_modules/@pnpm/exe": {
-      "version": "11.1.1",
-      "resolved": "https://registry.npmjs.org/@pnpm/exe/-/exe-11.1.1.tgz",
-      "integrity": "sha512-5mQnDW1NCBRRWA+cnGhQO+tIrfSfWm3/IyGxU88LnT+tzNW5UrwwKfjsnnYJToyAjIfdfEJtJKUxCvP+mhA+nQ==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/exe/-/exe-11.0.4.tgz",
+      "integrity": "sha512-3OwYqbbj1KtuUqoMo5OEkY8nU/WutZ7L5ADFl0bbW9oyqU55U37aDqA3NJNSk28CyszNARfrjerAF2DW2TsV7w==",
       "hasInstallScript": true,
       "license": "MIT",
       "dependencies": {
@@ -28,19 +28,20 @@
         "url": "https://opencollective.com/pnpm"
       },
       "optionalDependencies": {
-        "@pnpm/linux-arm64": "11.1.1",
-        "@pnpm/linux-x64": "11.1.1",
-        "@pnpm/linuxstatic-arm64": "11.1.1",
-        "@pnpm/linuxstatic-x64": "11.1.1",
-        "@pnpm/macos-arm64": "11.1.1",
-        "@pnpm/win-arm64": "11.1.1",
-        "@pnpm/win-x64": "11.1.1"
+        "@pnpm/linux-arm64": "11.0.4",
+        "@pnpm/linux-x64": "11.0.4",
+        "@pnpm/linuxstatic-arm64": "11.0.4",
+        "@pnpm/linuxstatic-x64": "11.0.4",
+        "@pnpm/macos-arm64": "11.0.4",
+        "@pnpm/macos-x64": "11.0.4",
+        "@pnpm/win-arm64": "11.0.4",
+        "@pnpm/win-x64": "11.0.4"
       }
     },
     "node_modules/@pnpm/linux-arm64": {
-      "version": "11.1.1",
-      "resolved": "https://registry.npmjs.org/@pnpm/linux-arm64/-/linux-arm64-11.1.1.tgz",
-      "integrity": "sha512-u9hs51XV0/gU5LLfNLoQsozGKIxNjxsh/0xPr+8Hny0M38psa4lBtwFvarL2bLToPIrtueQYi65LdlzRxITRyg==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-arm64/-/linux-arm64-11.0.4.tgz",
+      "integrity": "sha512-Bz7V2sFypoGHX/t5w/w7jnCw5DCK3C8s5q8whHJJ3iS5kRznX3Q1F4LwSjjy+lsi777fHyNIvD7qtNmdt9IKoA==",
       "cpu": [
         "arm64"
       ],
@@ -54,9 +55,9 @@
       }
     },
     "node_modules/@pnpm/linux-x64": {
-      "version": "11.1.1",
-      "resolved": "https://registry.npmjs.org/@pnpm/linux-x64/-/linux-x64-11.1.1.tgz",
-      "integrity": "sha512-yQO9i57oyJmIG22BjV7sqLUT2syKQohiku8yNZRgp7M6wsVkikpVLLVSpBifQnrI/P/roueKnWSUEESH1aPaoA==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-x64/-/linux-x64-11.0.4.tgz",
+      "integrity": "sha512-u0Yn1gytR1vKdPk6fYF500H8ZWQlj0cTuIQPp+5GYVPkMmA5bSw41RNIDPBfjDlE8ERmQWaQcrgmTcmTZ+n22A==",
       "cpu": [
         "x64"
       ],
@@ -70,9 +71,9 @@
       }
     },
     "node_modules/@pnpm/linuxstatic-arm64": {
-      "version": "11.1.1",
-      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-arm64/-/linuxstatic-arm64-11.1.1.tgz",
-      "integrity": "sha512-FUZB8L9Z8L5m88G0RTx5AsHFr5yUQPW+28zQdTNUWxiLwj11FW/fOLodYdcNYHdNJFepsZyqt3aRnpiqIdZb2g==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-arm64/-/linuxstatic-arm64-11.0.4.tgz",
+      "integrity": "sha512-0aitEcfhWNXNZhfJGt/kJaRvfcdtJzXZpV+toJN94kfawSJnhuawfnUSXMi/3m0G97HkJc7BH8rOz3sojUKt0g==",
       "cpu": [
         "arm64"
       ],
@@ -89,9 +90,9 @@
       }
     },
     "node_modules/@pnpm/linuxstatic-x64": {
-      "version": "11.1.1",
-      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-x64/-/linuxstatic-x64-11.1.1.tgz",
-      "integrity": "sha512-I/z56hfa1zM5F/Unup/1NrgsA+dcptsKQ2TjJLFz3wHKDx0RLrfF7DB0Rkpnr5IoAZ33v0GFZjlGhkOtc9VFGw==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-x64/-/linuxstatic-x64-11.0.4.tgz",
+      "integrity": "sha512-xDJdeJ7D2YvDBy2/IH9lEqMKiSuZiV8190XKWOgQgxUGGeuW4z3j6Ewpl0S5bXsWuNjAgC+uCKp7Qp3P7cXAvw==",
       "cpu": [
         "x64"
       ],
@@ -108,9 +109,9 @@
       }
     },
     "node_modules/@pnpm/macos-arm64": {
-      "version": "11.1.1",
-      "resolved": "https://registry.npmjs.org/@pnpm/macos-arm64/-/macos-arm64-11.1.1.tgz",
-      "integrity": "sha512-YQu6fC27F4jTIpXhF+4PdzOV7uSnVVG9KUxj5W+AFj0XFlUvBw+I1NsoPCY6uV1nccxWpIAZOTZtSj8+hWPb8w==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-arm64/-/macos-arm64-11.0.4.tgz",
+      "integrity": "sha512-dNR69jUARtGFuyyLE9VuyxhRUKC8MO/7/xIyAdeIMZAD5ej0Y/Ct0DYCa/FLbgFL1nXaXmp4+gRMfJBkkrKfQQ==",
       "cpu": [
         "arm64"
       ],
@@ -123,10 +124,26 @@
         "url": "https://opencollective.com/pnpm"
       }
     },
+    "node_modules/@pnpm/macos-x64": {
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-x64/-/macos-x64-11.0.4.tgz",
+      "integrity": "sha512-RfyrxSBajeEU16dZsgFjbdagDV9F4HNCJfbBgm8IbGjL0+J95naM/VmCDLd6S3+1tISeI2MxtcyCxqjKJsD/BA==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
     "node_modules/@pnpm/win-arm64": {
-      "version": "11.1.1",
-      "resolved": "https://registry.npmjs.org/@pnpm/win-arm64/-/win-arm64-11.1.1.tgz",
-      "integrity": "sha512-2HvZut3IcKPxzIfOjBJ4677PaLIh57mWccL86O+q71QhO5emnQvht0CE19IoEyUIOEe1WjlN+Su/dD5k6CuGyg==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-arm64/-/win-arm64-11.0.4.tgz",
+      "integrity": "sha512-fOQEv8b9KxZlUAxPPXSQQUUIrt2nY24Qwd4RzCPpatacBnsE4JIadlr/B4V5z2zFxmV7FdHr7nYUhv2RqTlY/w==",
       "cpu": [
         "arm64"
       ],
@@ -140,9 +157,9 @@
       }
     },
     "node_modules/@pnpm/win-x64": {
-      "version": "11.1.1",
-      "resolved": "https://registry.npmjs.org/@pnpm/win-x64/-/win-x64-11.1.1.tgz",
-      "integrity": "sha512-QXBIBErgPhGLovOVzTRIpHsejFKebyqlcF3fea/TfH87gkhN5yWH0WuTPRBoOWvpk6aNhjDW4RPUMx8RaPqxjw==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-x64/-/win-x64-11.0.4.tgz",
+      "integrity": "sha512-pErHAV8m3NZuPSeCmH3senTSHX0nwkH5lLzQSpiFuyt08hq8sqL3jDymT4ri9N7ixPN9RFZghZIiT3h+Croaew==",
       "cpu": [
         "x64"
       ],

src/install-pnpm/bootstrap/pnpm-lock.json

@@ -5,13 +5,13 @@
   "packages": {
     "": {
       "dependencies": {
-        "pnpm": "11.1.1"
+        "pnpm": "11.0.4"
       }
     },
     "node_modules/pnpm": {
-      "version": "11.1.1",
-      "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-11.1.1.tgz",
-      "integrity": "sha512-0f319zxhe2T6GlaoHDyN/g6WbjOmAQqiVrUXrne+Idk+Ba/8DeGoOw5PKdVp9otEaujwaM1yR8C7PfD7TXvfmg==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-11.0.4.tgz",
+      "integrity": "sha512-CjlxZQB6AU7VKRmmHl9GxIubyohATDA+yuzGP2Le9WOJjTxril1epYEes5jP4DqwXaGlzpY/Em1erUwC+TuDww==",
       "license": "MIT",
       "bin": {
         "pn": "bin/pnpm.mjs",

src/pnpm-install/index.ts

@@ -1,8 +1,11 @@
 import { setFailed, startGroup, endGroup } from '@actions/core'
 import { spawnSync } from 'child_process'
 import { Inputs } from '../inputs'
+import { patchPnpmEnv } from '../utils'
 
 export function runPnpmInstall(inputs: Inputs) {
+  const env = patchPnpmEnv(inputs)
+
   for (const options of inputs.runInstall) {
     const args = ['install']
     if (options.recursive) args.unshift('recursive')
@@ -11,16 +14,11 @@ export function runPnpmInstall(inputs: Inputs) {
     const cmdStr = ['pnpm', ...args].join(' ')
     startGroup(`Running ${cmdStr}...`)
 
-    // spawnSync inherits process.env, which already has $PNPM_HOME/bin and
-    // $PNPM_HOME prepended via addPath() in install-pnpm. Do NOT pass a
-    // hand-patched env that adds node_modules/.bin to the front — on
-    // Windows standalone, .bin/pnpm.cmd is an npm shim pointing at the
-    // BOOTSTRAP pnpm, which would shadow the self-updated one and break
-    // newer-pnpm-only behavior.
     const { error, status } = spawnSync('pnpm', args, {
       stdio: 'inherit',
       cwd: options.cwd,
       shell: true,
+      env,
     })
 
     endGroup()

src/pnpm-store-prune/index.ts

@@ -1,6 +1,7 @@
 import { warning, startGroup, endGroup } from '@actions/core'
 import { spawnSync } from 'child_process'
 import { Inputs } from '../inputs'
+import { patchPnpmEnv } from '../utils'
 
 export function pruneStore(inputs: Inputs) {
   if (inputs.runInstall.length === 0) {
@@ -9,11 +10,10 @@ export function pruneStore(inputs: Inputs) {
   }
 
   startGroup('Running pnpm store prune...')
-  // spawnSync inherits process.env (which has the right PATH from addPath
-  // in install-pnpm). See pnpm-install/index.ts for the rationale.
   const { error, status } = spawnSync('pnpm', ['store', 'prune'], {
     stdio: 'inherit',
     shell: true,
+    env: patchPnpmEnv(inputs),
   })
   endGroup()
 

src/utils/index.ts

@@ -0,0 +1,10 @@
+import path from 'path'
+import process from 'process'
+import { Inputs } from '../inputs'
+
+export const getBinDest = (inputs: Inputs): string => path.join(inputs.dest, 'node_modules', '.bin')
+
+export const patchPnpmEnv = (inputs: Inputs): NodeJS.ProcessEnv => ({
+  ...process.env,
+  PATH: path.join(getBinDest(inputs), 'bin') + path.delimiter + getBinDest(inputs) + path.delimiter + process.env.PATH,
+})