fix: self-update bootstrap to packageManager-pinned version (#233) (#256)

* fix: self-update bootstrap to packageManager-pinned version (#233)

When package.json pins pnpm via `packageManager` or an exact
`devEngines.packageManager.version`, self-update the bootstrap up
front. The bootstrap's `pnpm store path` skips pnpm's auto-switch
(the `store` command sets `skipPackageManagerCheck = true`), so it
reports the bootstrap's `STORE_VERSION` while the user's actual
install runs under the pinned version and writes to a different
STORE_VERSION — breaking `cache: true` and `setup-node`'s
`cache: pnpm` on cold caches.

* fix: check bin/ dir instead of pnpm.exe for self-update detection

On Windows pnpm self-update writes `.bin/bin/pnpm` (a JS launcher),
not `.bin/bin/pnpm.exe`, so the previous existsSync probe always
fell back to pnpmHome and the bin_dest output pointed at the
bootstrap pnpm. Check whether the `bin` directory itself exists.

* fix: self-update accepts ranges; drop exact-semver gate

`pnpm self-update` resolves semver ranges to a specific version, so
`devEngines.packageManager.version: ">=10 <11"` can also go through
the self-update path. That makes readTargetVersion total — it always
returns a string or throws — so the runtime auto-switch fallback (and
the `pnpm_config_pm_on_fail=download` export from #252) is no longer
reachable and gets removed.

Adds a range case to the cache_store_path matrix.

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @zkochan

.github/workflows/test.yaml

@@ -1,43 +1,73 @@
 name: Test Action
 
 on:
-  - push
+  pull_request:
-  - pull_request
+  push:
-  - workflow_dispatch
+    branches:
+      - master
+  workflow_dispatch:
 
 jobs:
-  test_default_inputs:
+  smoke:
-    name: Test with default inputs
+    # Cross-OS coverage. Exercises the bootstrap install + PATH on each platform,
+    # the version-respects-request regression (#225 / #230 — Windows PATH shadow),
+    # and the bin_dest output regression (#247). Multi-version coverage on Linux
+    # so we don't pay 3x for major-version differences.
+    name: 'Smoke (${{ matrix.name }})'
 
     runs-on: ${{ matrix.os }}
 
     strategy:
       fail-fast: false
       matrix:
-        pnpm:
+        include:
-          - 9.15.5
+          - name: 'ubuntu / v9.15.5'
-        os:
+            os: ubuntu-latest
-          - ubuntu-latest
+            version: '9.15.5'
-          - macos-latest
+          - name: 'ubuntu / v10.33.0'
-          - windows-latest
+            os: ubuntu-latest
+            version: '10.33.0'
+          - name: 'ubuntu / v9.15.5 / custom-dest'
+            os: ubuntu-latest
+            version: '9.15.5'
+            dest: '~/test/pnpm'
+          - name: 'macos / v9.15.5'
+            os: macos-latest
+            version: '9.15.5'
+          - name: 'windows / v9.15.5'
+            os: windows-latest
+            version: '9.15.5'
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
-      - name: Run the action
+      - id: pnpm
+        name: Run the action
         uses: ./
         with:
-          version: 9.15.5
+          version: ${{ matrix.version }}
+          dest: ${{ matrix.dest || '~/setup-pnpm' }}
 
-      - name: 'Test: which'
+      - name: 'Test: pnpm/pnpx on PATH report the requested version (incl. via bin_dest)'
-        run: which pnpm; which pnpx
+        # Pass paths via env, not template interpolation, so Windows
-
+        # backslashes in `bin_dest` aren't eaten by bash's escape handling.
-      - name: 'Test: version'
+        env:
+          BIN_DEST: ${{ steps.pnpm.outputs.bin_dest }}
+          REQUIRED: ${{ matrix.version }}
         run: |
+          set -e
+          which pnpm
+          which pnpx
           actual="$(pnpm --version)"
-          echo "pnpm version: ${actual}"
+          echo "pnpm --version: ${actual}"
-          if [[ ! "${actual}" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-.+)?$ ]]; then
+          if [ "${actual}" != "${REQUIRED}" ]; then
-            echo "ERROR: pnpm --version did not produce valid output"
+            echo "Expected pnpm version ${REQUIRED}, but got ${actual}"
+            exit 1
+          fi
+          bin_dest_version="$("$BIN_DEST/pnpm" --version)"
+          echo "bin_dest pnpm --version: ${bin_dest_version}"
+          if [ "${bin_dest_version}" != "${REQUIRED}" ]; then
+            echo "Expected ${REQUIRED} via bin_dest, but got ${bin_dest_version}"
             exit 1
           fi
         shell: bash
@@ -50,54 +80,95 @@ jobs:
           pnpm add is-odd
         shell: bash
 
-  test_dest:
+  manifest_pin:
-    name: Test with dest
+    # Folds the old test_package_manager_field, test_dev_engines, and
+    # test_dev_engines_on_fail_error jobs. The action's manifest handling is
+    # OS-independent, so ubuntu-only is sufficient.
+    name: 'Manifest pin: ${{ matrix.label }}'
 
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
 
     strategy:
       fail-fast: false
       matrix:
-        pnpm:
+        include:
-          - 9.15.5
+          - label: 'packageManager pnpm@9.15.5 (#227)'
-        os:
+            manifest: '{"packageManager":"pnpm@9.15.5"}'
-          - ubuntu-latest
+            version: '9.15.5'
-          - macos-latest
+          - label: 'packageManager pnpm@10.33.0'
-          - windows-latest
+            manifest: '{"packageManager":"pnpm@10.33.0"}'
+            version: '10.33.0'
+          - label: 'devEngines onFail=download, exact'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":"9.15.5","onFail":"download"}}}'
+            version: '9.15.5'
+          - label: 'devEngines onFail=download, range'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":">=9.15.0","onFail":"download"}}}'
+            version: '>=9.15.0'
+          - label: 'devEngines onFail=error, exact (#252)'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":"9.15.5","onFail":"error"}}}'
+            version: '9.15.5'
+          - label: 'devEngines onFail=error, range (#252)'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":">=9.15.0","onFail":"error"}}}'
+            version: '>=9.15.0'
+          - label: 'explicit version: pnpm_config_pm_on_fail not exported'
+            # Regression guard for the af8e203 scope fix: when the user passes an
+            # explicit `version:` input, the action must NOT export
+            # pnpm_config_pm_on_fail=download, so the user's strict onFail policy
+            # is preserved. Asserted directly on the env var rather than pnpm
+            # runtime behavior — different pnpm majors read devEngines
+            # differently (v10 ignores it, v11+ honors it).
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":"9.15.5","onFail":"error"}}}'
+            explicit_version: '10.33.0'
+            expect_pm_on_fail_unset: true
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
+      - name: Set up package.json
+        run: echo '${{ matrix.manifest }}' > package.json
+        shell: bash
+
       - name: Run the action
         uses: ./
         with:
-          version: 9.15.5
+          version: ${{ matrix.explicit_version }}
-          dest: ~/test/pnpm
 
-      - name: 'Test: which'
+      - name: 'Test: pnpm reports the pinned version'
-        run: which pnpm && which pnpx
+        if: ${{ !matrix.expect_pm_on_fail_unset }}
-
+        env:
-      - name: 'Test: version'
+          REQUIRED: ${{ matrix.version }}
         run: |
+          set -e
           actual="$(pnpm --version)"
           echo "pnpm version: ${actual}"
-          if [[ ! "${actual}" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-.+)?$ ]]; then
+          if [ "${REQUIRED}" = ">=9.15.0" ]; then
-            echo "ERROR: pnpm --version did not produce valid output"
+            min="9.15.0"
-            exit 1
+            if [ "$(printf '%s\n' "${min}" "${actual}" | sort -V | head -n1)" != "${min}" ]; then
+              echo "Expected pnpm version >= ${min}, but got ${actual}"
+              exit 1
+            fi
+          else
+            if [ "${actual}" != "${REQUIRED}" ]; then
+              echo "Expected pnpm version ${REQUIRED}, but got ${actual}"
+              exit 1
+            fi
           fi
         shell: bash
 
-  test_standalone:
+      - name: 'Test: pnpm_config_pm_on_fail not exported (explicit version preserves strict policy)'
-    name: Test with standalone
+        if: ${{ matrix.expect_pm_on_fail_unset }}
+        run: |
+          if [ -n "${pnpm_config_pm_on_fail:-}" ]; then
+            echo "Expected pnpm_config_pm_on_fail to be unset, but got: '${pnpm_config_pm_on_fail}'"
+            exit 1
+          fi
+          echo "pnpm_config_pm_on_fail is unset, as expected"
+        shell: bash
 
-    runs-on: ${{ matrix.os }}
+  standalone:
+    name: Standalone mode
 
-    strategy:
+    runs-on: ubuntu-latest
-      fail-fast: false
-      matrix:
-        os:
-          - ubuntu-latest
-          - windows-latest
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
@@ -108,91 +179,77 @@ jobs:
           version: 9.15.0
           standalone: true
 
-      - name: 'Test: which'
+      - name: 'Test: pnpm works'
-        run: which pnpm
-
-      - name: 'Test: version'
         run: |
+          set -e
+          which pnpm
           actual="$(pnpm --version)"
-          echo "pnpm version: ${actual}"
+          if [ "${actual}" != "9.15.0" ]; then
-          if [[ ! "${actual}" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-.+)?$ ]]; then
+            echo "Expected 9.15.0, got ${actual}"
-            echo "ERROR: pnpm --version did not produce valid output"
             exit 1
           fi
-        shell: bash
-
-      - name: 'Test: install in a fresh project'
-        run: |
           mkdir /tmp/test-standalone
           cd /tmp/test-standalone
           pnpm init
           pnpm add is-odd
         shell: bash
 
-  test_dev_engines:
+  cache_store_path:
-    name: Test with devEngines.packageManager
+    # Regression guard for #233. When package.json pins a pnpm major that
+    # differs from the bootstrap pnpm's major, the bootstrap reports its
+    # own STORE_VERSION from `pnpm store path` (the `store` command skips
+    # pnpm's auto-switch). The user's actual `pnpm install` runs under the
+    # pinned version and writes to a different STORE_VERSION, so the post
+    # step's saveCache then fails with "Path Validation Error". The fix is
+    # to self-update the bootstrap to the pinned version up front.
+    name: 'Cache store path matches install (#233): ${{ matrix.label }}'
 
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
 
     strategy:
       fail-fast: false
       matrix:
-        os:
+        include:
-          - ubuntu-latest
+          - label: 'packageManager pnpm@10.33.0'
-          - macos-latest
+            manifest: '{"packageManager":"pnpm@10.33.0","dependencies":{"is-odd":"3.0.1"}}'
-          - windows-latest
+          - label: 'devEngines exact pnpm@10.33.0'
-        version:
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":"10.33.0"}},"dependencies":{"is-odd":"3.0.1"}}'
-          - '9.15.5'
+          - label: 'devEngines range >=10 <11'
-          - '>=9.15.0'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":">=10 <11"}},"dependencies":{"is-odd":"3.0.1"}}'
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
-      - name: Set up package.json with devEngines.packageManager
+      - name: Set up package.json
-        run: echo '{"devEngines":{"packageManager":{"name":"pnpm","version":"${{ matrix.version }}","onFail":"download"}}}' > package.json
+        run: echo '${{ matrix.manifest }}' > package.json
         shell: bash
 
-      - name: Run the action
+      - id: pnpm
         uses: ./
+        with:
+          cache: true
+          run_install: |
+            - args: [--no-frozen-lockfile]
 
-      - name: 'Test: which'
+      - name: 'Test: store path computed by the action exists on disk'
-        run: which pnpm; which pnpx
-
-      - name: 'Test: version'
         run: |
           set -e
-          required='${{ matrix.version }}'
+          actual="$(pnpm store path --silent)"
-          actual="$(pnpm --version)"
+          echo "pnpm store path: ${actual}"
-          echo "pnpm version: ${actual}"
+          if [ ! -d "${actual}" ]; then
-
+            echo "Expected store path to exist on disk; cache save would fail"
-          if [ "${required}" = ">=9.15.0" ]; then
+            exit 1
-            min="9.15.0"
-            if [ "$(printf '%s\n' "${min}" "${actual}" | sort -V | head -n1)" != "${min}" ]; then
-              echo "Expected pnpm version >= ${min}, but got ${actual}"
-              exit 1
-            fi
-          else
-            if [ "${actual}" != "${required}" ]; then
-              echo "Expected pnpm version ${required}, but got ${actual}"
-              exit 1
-            fi
           fi
         shell: bash
 
-  test_run_install:
+  run_install:
-    name: 'Test with run_install (${{ matrix.run_install.name }}, ${{ matrix.os }})'
+    name: 'run_install (${{ matrix.run_install.name }})'
 
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
 
     strategy:
       fail-fast: false
       matrix:
-        pnpm:
-          - 9.15.5
-        os:
-          - ubuntu-latest
-          - macos-latest
-          - windows-latest
         run_install:
           - name: 'null'
             value: 'null'
@@ -213,15 +270,14 @@ jobs:
           version: 9.15.5
           run_install: ${{ matrix.run_install.value }}
 
-      - name: 'Test: which'
+      - name: 'Test: pnpm works'
-        run: which pnpm; which pnpx
-
-      - name: 'Test: version'
         run: |
+          set -e
+          which pnpm
+          which pnpx
           actual="$(pnpm --version)"
-          echo "pnpm version: ${actual}"
+          if [ "${actual}" != "9.15.5" ]; then
-          if [[ ! "${actual}" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-.+)?$ ]]; then
+            echo "Expected 9.15.5, got ${actual}"
-            echo "ERROR: pnpm --version did not produce valid output"
             exit 1
           fi
         shell: bash

src/index.ts

@@ -8,28 +8,30 @@ import pnpmInstall from './pnpm-install'
 import pruneStore from './pnpm-store-prune'
 
 async function main() {
-  const inputs = getInputs()
-
   if (getState('is_post') === 'true') {
-    await runPost(inputs)
+    await runPost()
   } else {
-    await runMain(inputs)
+    await runMain()
   }
 }
 
-async function runMain(inputs: Inputs) {
+async function runMain() {
+  const inputs = getInputs()
+  saveState('inputs', inputs)
   saveState('is_post', 'true')
 
-  await installPnpm(inputs)
+  const binDest = await installPnpm(inputs)
+  if (binDest === undefined) return
   console.log('Installation Completed!')
-  setOutputs(inputs)
+  setOutputs(inputs, binDest)
 
   await restoreCache(inputs)
 
   pnpmInstall(inputs)
 }
 
-async function runPost(inputs: Inputs) {
+async function runPost() {
+  const inputs = JSON.parse(getState('inputs')) as Inputs
   pruneStore(inputs)
   await saveCache(inputs)
 }

src/install-pnpm/bootstrap/exe-lock.json

@@ -5,17 +5,18 @@
   "packages": {
     "": {
       "dependencies": {
-        "@pnpm/exe": "11.0.0-rc.2"
+        "@pnpm/exe": "11.0.4"
       }
     },
     "node_modules/@pnpm/exe": {
-      "version": "11.0.0-rc.2",
+      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/exe/-/exe-11.0.0-rc.2.tgz",
+      "resolved": "https://registry.npmjs.org/@pnpm/exe/-/exe-11.0.4.tgz",
-      "integrity": "sha512-EkL8nZApA0wUA7c5hDdbeuyNUkmkDRBn8evxx4O79SMlEX1D6XspEu9EkLmT+sqrHsAwKzHTHsNYwTSOuKavRg==",
+      "integrity": "sha512-3OwYqbbj1KtuUqoMo5OEkY8nU/WutZ7L5ADFl0bbW9oyqU55U37aDqA3NJNSk28CyszNARfrjerAF2DW2TsV7w==",
       "hasInstallScript": true,
       "license": "MIT",
       "dependencies": {
-        "@reflink/reflink": "0.1.19"
+        "@reflink/reflink": "0.1.19",
+        "detect-libc": "^2.0.3"
       },
       "bin": {
         "pn": "pn",
@@ -27,18 +28,20 @@
         "url": "https://opencollective.com/pnpm"
       },
       "optionalDependencies": {
-        "@pnpm/linux-arm64": "11.0.0-rc.2",
+        "@pnpm/linux-arm64": "11.0.4",
-        "@pnpm/linux-x64": "11.0.0-rc.2",
+        "@pnpm/linux-x64": "11.0.4",
-        "@pnpm/macos-arm64": "11.0.0-rc.2",
+        "@pnpm/linuxstatic-arm64": "11.0.4",
-        "@pnpm/macos-x64": "11.0.0-rc.2",
+        "@pnpm/linuxstatic-x64": "11.0.4",
-        "@pnpm/win-arm64": "11.0.0-rc.2",
+        "@pnpm/macos-arm64": "11.0.4",
-        "@pnpm/win-x64": "11.0.0-rc.2"
+        "@pnpm/macos-x64": "11.0.4",
+        "@pnpm/win-arm64": "11.0.4",
+        "@pnpm/win-x64": "11.0.4"
       }
     },
     "node_modules/@pnpm/linux-arm64": {
-      "version": "11.0.0-rc.2",
+      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/linux-arm64/-/linux-arm64-11.0.0-rc.2.tgz",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-arm64/-/linux-arm64-11.0.4.tgz",
-      "integrity": "sha512-aw7wUq6ffXAfP7r9ZKa7GQmCoh/2EJcdb5ghkc8cgz0O2RZCmIaHqMV2O049iSAtblANkOu5uhwAZW7DKMJa3A==",
+      "integrity": "sha512-Bz7V2sFypoGHX/t5w/w7jnCw5DCK3C8s5q8whHJJ3iS5kRznX3Q1F4LwSjjy+lsi777fHyNIvD7qtNmdt9IKoA==",
       "cpu": [
         "arm64"
       ],
@@ -52,9 +55,9 @@
       }
     },
     "node_modules/@pnpm/linux-x64": {
-      "version": "11.0.0-rc.2",
+      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/linux-x64/-/linux-x64-11.0.0-rc.2.tgz",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-x64/-/linux-x64-11.0.4.tgz",
-      "integrity": "sha512-aCItGORv4lUjYldScyhd7uxgXQI3s1B1s99u5Eb42KRRC4Q8DAf7dboXbLGk7rQLjx8F9xIiaD7QX7YR8+MWEQ==",
+      "integrity": "sha512-u0Yn1gytR1vKdPk6fYF500H8ZWQlj0cTuIQPp+5GYVPkMmA5bSw41RNIDPBfjDlE8ERmQWaQcrgmTcmTZ+n22A==",
       "cpu": [
         "x64"
       ],
@@ -67,10 +70,48 @@
         "url": "https://opencollective.com/pnpm"
       }
     },
+    "node_modules/@pnpm/linuxstatic-arm64": {
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-arm64/-/linuxstatic-arm64-11.0.4.tgz",
+      "integrity": "sha512-0aitEcfhWNXNZhfJGt/kJaRvfcdtJzXZpV+toJN94kfawSJnhuawfnUSXMi/3m0G97HkJc7BH8rOz3sojUKt0g==",
+      "cpu": [
+        "arm64"
+      ],
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/linuxstatic-x64": {
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-x64/-/linuxstatic-x64-11.0.4.tgz",
+      "integrity": "sha512-xDJdeJ7D2YvDBy2/IH9lEqMKiSuZiV8190XKWOgQgxUGGeuW4z3j6Ewpl0S5bXsWuNjAgC+uCKp7Qp3P7cXAvw==",
+      "cpu": [
+        "x64"
+      ],
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
     "node_modules/@pnpm/macos-arm64": {
-      "version": "11.0.0-rc.2",
+      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/macos-arm64/-/macos-arm64-11.0.0-rc.2.tgz",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-arm64/-/macos-arm64-11.0.4.tgz",
-      "integrity": "sha512-WsLK8St9Hpwp26qqdFVdLdDlJ3CLJVIkcFwP7G9b+HtkPZOx+Z9AGZ8iam1B7HSrf8XomZWlq0vntHDsc2uPTg==",
+      "integrity": "sha512-dNR69jUARtGFuyyLE9VuyxhRUKC8MO/7/xIyAdeIMZAD5ej0Y/Ct0DYCa/FLbgFL1nXaXmp4+gRMfJBkkrKfQQ==",
       "cpu": [
         "arm64"
       ],
@@ -84,9 +125,9 @@
       }
     },
     "node_modules/@pnpm/macos-x64": {
-      "version": "11.0.0-rc.2",
+      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/macos-x64/-/macos-x64-11.0.0-rc.2.tgz",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-x64/-/macos-x64-11.0.4.tgz",
-      "integrity": "sha512-hiC0khjWqSu6l25rs52izVhPM+6IVbp89pLRyBMYTe5x2a9iydUsCloPl7E+SuNiZ5cNnG28qj3PDzc5upeH/Q==",
+      "integrity": "sha512-RfyrxSBajeEU16dZsgFjbdagDV9F4HNCJfbBgm8IbGjL0+J95naM/VmCDLd6S3+1tISeI2MxtcyCxqjKJsD/BA==",
       "cpu": [
         "x64"
       ],
@@ -100,9 +141,9 @@
       }
     },
     "node_modules/@pnpm/win-arm64": {
-      "version": "11.0.0-rc.2",
+      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/win-arm64/-/win-arm64-11.0.0-rc.2.tgz",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-arm64/-/win-arm64-11.0.4.tgz",
-      "integrity": "sha512-+bo8RmPQyPCKq+h1GE/QHJ7Ybt/4bWZLUSgXJQS6UOB7ar56g2g4ii1X5+8htkkdXxS5Uoj2TVqRjKp6hkkAdA==",
+      "integrity": "sha512-fOQEv8b9KxZlUAxPPXSQQUUIrt2nY24Qwd4RzCPpatacBnsE4JIadlr/B4V5z2zFxmV7FdHr7nYUhv2RqTlY/w==",
       "cpu": [
         "arm64"
       ],
@@ -116,9 +157,9 @@
       }
     },
     "node_modules/@pnpm/win-x64": {
-      "version": "11.0.0-rc.2",
+      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/win-x64/-/win-x64-11.0.0-rc.2.tgz",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-x64/-/win-x64-11.0.4.tgz",
-      "integrity": "sha512-srkbMALQgb4taTzKMlwqBZV+JHTh15jN4/FOVOGQ5XadjXdpJOievkvp/m87WankP8MX8th+mJhD9RX/rDOSOw==",
+      "integrity": "sha512-pErHAV8m3NZuPSeCmH3senTSHX0nwkH5lLzQSpiFuyt08hq8sqL3jDymT4ri9N7ixPN9RFZghZIiT3h+Croaew==",
       "cpu": [
         "x64"
       ],
@@ -189,6 +230,9 @@
       "cpu": [
         "arm64"
       ],
+      "libc": [
+        "glibc"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -205,6 +249,9 @@
       "cpu": [
         "arm64"
       ],
+      "libc": [
+        "musl"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -221,6 +268,9 @@
       "cpu": [
         "x64"
       ],
+      "libc": [
+        "glibc"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -237,6 +287,9 @@
       "cpu": [
         "x64"
       ],
+      "libc": [
+        "musl"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -277,6 +330,15 @@
       "engines": {
         "node": ">= 10"
       }
+    },
+    "node_modules/detect-libc": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
+      "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==",
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=8"
+      }
     }
   }
 }

src/install-pnpm/bootstrap/pnpm-lock.json

@@ -5,13 +5,13 @@
   "packages": {
     "": {
       "dependencies": {
-        "pnpm": "11.0.0-rc.2"
+        "pnpm": "11.0.4"
       }
     },
     "node_modules/pnpm": {
-      "version": "11.0.0-rc.2",
+      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-11.0.0-rc.2.tgz",
+      "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-11.0.4.tgz",
-      "integrity": "sha512-JkEMwm1mi63d4ToKzyx1ytALgqR3vMHi/mKd1B1reP4/stm7Ujr/951qkfBr6bkKYDJUPzC19zkxI5yCCqXwAQ==",
+      "integrity": "sha512-CjlxZQB6AU7VKRmmHl9GxIubyohATDA+yuzGP2Le9WOJjTxril1epYEes5jP4DqwXaGlzpY/Em1erUwC+TuDww==",
       "license": "MIT",
       "bin": {
         "pn": "bin/pnpm.mjs",

src/install-pnpm/index.ts

@@ -4,13 +4,15 @@ import runSelfInstaller from './run'
 
 export { runSelfInstaller }
 
-export async function install(inputs: Inputs) {
+export async function install(inputs: Inputs): Promise<string | undefined> {
   startGroup('Running self-installer...')
-  const status = await runSelfInstaller(inputs)
+  const { exitCode, binDest } = await runSelfInstaller(inputs)
   endGroup()
-  if (status) {
+  if (exitCode) {
-    return setFailed(`Something went wrong, self-installer exits with code ${status}`)
+    setFailed(`Something went wrong, self-installer exits with code ${exitCode}`)
+    return undefined
   }
+  return binDest
 }
 
 export default install

src/install-pnpm/run.ts

@@ -12,7 +12,12 @@ import exeLock from './bootstrap/exe-lock.json'
 const BOOTSTRAP_PNPM_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { pnpm: pnpmLock.packages['node_modules/pnpm'].version } })
 const BOOTSTRAP_EXE_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { '@pnpm/exe': exeLock.packages['node_modules/@pnpm/exe'].version } })
 
-export async function runSelfInstaller(inputs: Inputs): Promise<number> {
+export interface SelfInstallerResult {
+  exitCode: number
+  binDest: string
+}
+
+export async function runSelfInstaller(inputs: Inputs): Promise<SelfInstallerResult> {
   const { version, dest, packageJsonFile } = inputs
 
   // pnpm v11 requires Node >= 22.13; use standalone (exe) bootstrap which
@@ -29,9 +34,23 @@ export async function runSelfInstaller(inputs: Inputs): Promise<number> {
   await writeFile(path.join(dest, 'package.json'), packageJson)
   await writeFile(path.join(dest, 'package-lock.json'), JSON.stringify(lockfile))
 
-  const npmExitCode = await runCommand('npm', ['ci'], { cwd: dest })
+  // Append the action's node directory to PATH so npm's
+  // `#!/usr/bin/env node` shebang resolves on runners (e.g. GHE
+  // self-hosted) where node isn't already on PATH. Append (not
+  // prepend) so a user-installed toolchain on PATH — e.g. from a
+  // prior `setup-node` step — keeps precedence; otherwise the
+  // runner-bundled node would shadow it and pair the user's npm
+  // with a mismatched node version. npm itself is resolved via
+  // PATH — on the GitHub Actions runner it is not co-located with
+  // `process.execPath`.
+  const nodeDir = path.dirname(process.execPath)
+  // On Windows, the PATH key casing varies; search case-insensitively.
+  const pathKey = Object.keys(process.env).find(k => k.toUpperCase() === 'PATH') ?? 'PATH'
+  const currentPath = process.env[pathKey]
+  const npmEnv = { ...process.env, [pathKey]: currentPath ? currentPath + path.delimiter + nodeDir : nodeDir }
+  const npmExitCode = await runCommand('npm', ['ci'], { cwd: dest, env: npmEnv })
   if (npmExitCode !== 0) {
-    return npmExitCode
+    return { exitCode: npmExitCode, binDest: path.join(dest, 'node_modules', '.bin') }
   }
 
   // On Windows with standalone mode, npm's .bin shims can't properly
@@ -40,11 +59,13 @@ export async function runSelfInstaller(inputs: Inputs): Promise<number> {
   const pnpmHome = standalone && process.platform === 'win32'
     ? path.join(dest, 'node_modules', '@pnpm', 'exe')
     : path.join(dest, 'node_modules', '.bin')
-  // pnpm expects PNPM_HOME/bin in PATH for global binaries (e.g. node
+  // PNPM_HOME/bin is where `pnpm self-update` places the target version
-  // installed via `pnpm runtime`). Add it first so the next addPath
+  // binary. It must have higher PATH precedence than pnpmHome (which
-  // (pnpmHome itself, which contains pnpm.exe) has higher precedence.
+  // contains the bootstrap binary) so the self-updated version is found
-  addPath(path.join(pnpmHome, 'bin'))
+  // first. The bootstrap pnpm is invoked via absolute path, not PATH,
+  // so this ordering does not affect the bootstrap step.
   addPath(pnpmHome)
+  addPath(path.join(pnpmHome, 'bin'))
   exportVariable('PNPM_HOME', pnpmHome)
 
   // Ensure pnpm bin link exists — npm ci sometimes doesn't create it
@@ -63,25 +84,31 @@ export async function runSelfInstaller(inputs: Inputs): Promise<number> {
     ? path.join(dest, 'node_modules', '@pnpm', 'exe', process.platform === 'win32' ? 'pnpm.exe' : 'pnpm')
     : path.join(dest, 'node_modules', 'pnpm', 'bin', 'pnpm.mjs')
 
-  // Determine the target version
+  // Self-update the bootstrap to the requested pnpm version. readTargetVersion
+  // either returns a value or throws, so this always runs.
   const targetVersion = readTargetVersion({ version, packageJsonFile })
-
+  const cmd = standalone ? bootstrapPnpm : process.execPath
-  if (targetVersion) {
+  const args = standalone ? ['self-update', targetVersion] : [bootstrapPnpm, 'self-update', targetVersion]
-    const cmd = standalone ? bootstrapPnpm : process.execPath
+  const exitCode = await runCommand(cmd, args, { cwd: dest })
-    const args = standalone ? ['self-update', targetVersion] : [bootstrapPnpm, 'self-update', targetVersion]
+  if (exitCode !== 0) {
-    const exitCode = await runCommand(cmd, args, { cwd: dest })
+    return { exitCode, binDest: pnpmHome }
-    if (exitCode !== 0) {
-      return exitCode
-    }
   }
-
+  // self-update writes the target pnpm/pnpx into PNPM_HOME/bin, leaving
-  return 0
+  // the bootstrap symlinks in pnpmHome pointing at the old version. Use
+  // PNPM_HOME/bin so consumers of the bin_dest output (e.g.
+  // `${steps.pnpm.outputs.bin_dest}/pnpm`) invoke the requested version.
+  //
+  // When the requested version resolves to the bootstrap version, self-update
+  // is a no-op and PNPM_HOME/bin is not created — fall back to pnpmHome,
+  // whose symlinks already point at the right version.
+  const updatedBinDir = path.join(pnpmHome, 'bin')
+  return { exitCode: 0, binDest: existsSync(updatedBinDir) ? updatedBinDir : pnpmHome }
 }
 
 function readTargetVersion(opts: {
   readonly version?: string | undefined
   readonly packageJsonFile: string
-}): string | undefined {
+}): string {
   const { version, packageJsonFile } = opts
   const { GITHUB_WORKSPACE } = process.env
 
@@ -102,12 +129,15 @@ function readTargetVersion(opts: {
     }
   }
 
+  // packageManager is always exact `pnpm@<version>[+<integrity>]` per spec.
+  // Strip the integrity hash for self-update.
+  const packageManagerVersion =
+    typeof packageManager === 'string' && packageManager.startsWith('pnpm@')
+      ? packageManager.slice('pnpm@'.length).split('+')[0]
+      : undefined
+
   if (version) {
-    if (
+    if (packageManagerVersion && packageManagerVersion !== version) {
-      typeof packageManager === 'string' &&
-      packageManager.startsWith('pnpm@') &&
-      packageManager.replace('pnpm@', '') !== version
-    ) {
       throw new Error(`Multiple versions of pnpm specified:
   - version ${version} in the GitHub Action config with the key "version"
   - version ${packageManager} in the package.json with the key "packageManager"
@@ -117,13 +147,22 @@ Remove one of these versions to avoid version mismatch errors like ERR_PNPM_BAD_
     return version
   }
 
-  // pnpm will automatically download and switch to the right version
+  // Self-update the bootstrap pnpm to the version pinned in package.json so
-  if (typeof packageManager === 'string' && packageManager.startsWith('pnpm@')) {
+  // PATH-resolved `pnpm` (and the bin_dest output) reflect the target
-    return undefined
+  // version. Without this, `pnpm store path` runs as the bootstrap and
+  // reports a different STORE_VERSION than the one the user's actual
+  // install writes to — breaking cache: true and actions/setup-node's
+  // `cache: pnpm` on cold caches (issue #233).
+  //
+  // devEngines.packageManager takes priority over packageManager, matching
+  // pnpm's getWantedPackageManager logic. `pnpm self-update` accepts both
+  // exact versions and semver ranges, so we pass either through directly.
+  if (devEngines?.packageManager?.name === 'pnpm' && devEngines.packageManager.version) {
+    return devEngines.packageManager.version
   }
 
-  if (devEngines?.packageManager?.name === 'pnpm' && devEngines.packageManager.version) {
+  if (packageManagerVersion) {
-    return undefined
+    return packageManagerVersion
   }
 
   if (!GITHUB_WORKSPACE) {
@@ -153,10 +192,11 @@ function getSystemNodeVersion(): Promise<{ major: number; minor: number }> {
   })
 }
 
-function runCommand(cmd: string, args: string[], opts: { cwd: string }): Promise<number> {
+function runCommand(cmd: string, args: string[], opts: { cwd: string; env?: Record<string, string | undefined> }): Promise<number> {
   return new Promise<number>((resolve, reject) => {
     const cp = spawn(cmd, args, {
       cwd: opts.cwd,
+      env: opts.env,
       stdio: ['pipe', 'inherit', 'inherit'],
       shell: process.platform === 'win32',
     })

src/outputs/index.ts

@@ -1,9 +1,7 @@
 import { setOutput } from '@actions/core'
 import { Inputs } from '../inputs'
-import { getBinDest } from '../utils'
 
-export function setOutputs(inputs: Inputs) {
+export function setOutputs(inputs: Inputs, binDest: string) {
-  const binDest = getBinDest(inputs)
   // NOTE: addPath is already called in installPnpm — do not call it again
   // here, as a second addPath would shadow the correct entry on Windows.
   setOutput('dest', inputs.dest)