fix: update pnpm to 11.1.1 (#248)

* fix: update pnpm to v11.1.1

* fix: update bundle

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>

.github/workflows/test.yaml

@@ -194,6 +194,54 @@ jobs:
           pnpm add is-odd
         shell: bash
 
+  standalone_windows_self_update:
+    # Regression guard for the patchPnpmEnv PATH-shadow bug. When
+    # standalone: true on Windows AND the requested pnpm differs from the
+    # bootstrap, the previous patchPnpmEnv prepended node_modules/.bin to
+    # PATH; that directory contains an npm-created pnpm.cmd shim pointing
+    # at the BOOTSTRAP pnpm, which shadowed the self-updated pnpm at
+    # $PNPM_HOME/bin and caused `pnpm install` inside the action to run
+    # under the bootstrap version. Exercising a newer-pnpm-only flag
+    # (`--no-runtime`, added in 11.1.0) makes the regression assertable:
+    # if the bootstrap (11.0.4) handles the install, it errors with
+    # "Unknown option: 'runtime'".
+    name: 'Standalone Windows self-update (PATH regression)'
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Set up package.json with a minimal manifest
+        # run_install needs a manifest to install against. Removing the
+        # repo's existing pnpm-lock.yaml avoids frozen-lockfile mismatch.
+        run: |
+          rm -f pnpm-lock.yaml
+          echo '{"name":"sw","private":true,"packageManager":"pnpm@11.1.0"}' > package.json
+        shell: bash
+
+      - name: Run the action
+        uses: ./
+        with:
+          version: 11.1.0
+          standalone: true
+          run_install: |
+            args: ['--no-runtime']
+
+      - name: 'Test: pnpm install completed under the self-updated pnpm'
+        # If the bug recurs, the previous step's run_install will have failed
+        # the job with "Unknown option: 'runtime'", so reaching this step
+        # implies success. Still verify the version on PATH matches request.
+        env:
+          REQUIRED: '11.1.0'
+        run: |
+          set -e
+          actual="$(pnpm --version)"
+          echo "pnpm --version: ${actual}"
+          if [ "${actual}" != "${REQUIRED}" ]; then
+            echo "Expected pnpm ${REQUIRED}, got ${actual}"
+            exit 1
+          fi
+        shell: bash
+
   cache_store_path:
     # Regression guard for #233. When package.json pins a pnpm major that
     # differs from the bootstrap pnpm's major, the bootstrap reports its

README.md

@@ -48,7 +48,7 @@ If `run_install` is a YAML string representation of either an object or an array
 
 ### `cache_dependency_path`
 
-**Optional** (_type:_ `string|string[]`, _default:_ `pnpm-lock.yaml`) File path to the pnpm lockfile, which contents hash will be used as a cache key.
+**Optional** (_type:_ `string`, _default:_ `pnpm-lock.yaml`) File path to the pnpm lockfile, whose contents hash will be used as a cache key. Accepts multiple paths delimited by newlines.
 
 ### `package_json_file`
 
@@ -158,6 +158,33 @@ jobs:
 
 **Note:** You don't need to run `pnpm store prune` at the end; post-action has already taken care of that.
 
+### Cache dependencies from multiple lockfiles
+
+```yaml
+on:
+  - push
+  - pull_request
+
+jobs:
+  cache-and-install-multiple:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - uses: pnpm/action-setup@v6
+        with:
+          version: 10
+          cache: true
+          cache_dependency_path: |
+            one/pnpm-lock.yaml
+            two/pnpm-lock.yaml
+          run_install: |
+            - cwd: one
+            - cwd: two
+```
+
 ## Notes
 
 This action does not setup Node.js for you, use [actions/setup-node](https://github.com/actions/setup-node) yourself.

action.yml

@@ -20,7 +20,7 @@ inputs:
     required: false
     default: 'false'
   cache_dependency_path:
-    description: File path to the pnpm lockfile, which contents hash will be used as a cache key
+    description: File path to the pnpm lockfile, whose contents hash will be used as a cache key. Accepts multiple paths delimited by newlines.
     required: false
     default: 'pnpm-lock.yaml'
   package_json_file:

src/install-pnpm/bootstrap/exe-lock.json

@@ -5,13 +5,13 @@
   "packages": {
     "": {
       "dependencies": {
-        "@pnpm/exe": "11.0.4"
+        "@pnpm/exe": "11.1.1"
       }
     },
     "node_modules/@pnpm/exe": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/exe/-/exe-11.0.4.tgz",
-      "integrity": "sha512-3OwYqbbj1KtuUqoMo5OEkY8nU/WutZ7L5ADFl0bbW9oyqU55U37aDqA3NJNSk28CyszNARfrjerAF2DW2TsV7w==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/exe/-/exe-11.1.1.tgz",
+      "integrity": "sha512-5mQnDW1NCBRRWA+cnGhQO+tIrfSfWm3/IyGxU88LnT+tzNW5UrwwKfjsnnYJToyAjIfdfEJtJKUxCvP+mhA+nQ==",
       "hasInstallScript": true,
       "license": "MIT",
       "dependencies": {
@@ -28,20 +28,19 @@
         "url": "https://opencollective.com/pnpm"
       },
       "optionalDependencies": {
-        "@pnpm/linux-arm64": "11.0.4",
-        "@pnpm/linux-x64": "11.0.4",
-        "@pnpm/linuxstatic-arm64": "11.0.4",
-        "@pnpm/linuxstatic-x64": "11.0.4",
-        "@pnpm/macos-arm64": "11.0.4",
-        "@pnpm/macos-x64": "11.0.4",
-        "@pnpm/win-arm64": "11.0.4",
-        "@pnpm/win-x64": "11.0.4"
+        "@pnpm/linux-arm64": "11.1.1",
+        "@pnpm/linux-x64": "11.1.1",
+        "@pnpm/linuxstatic-arm64": "11.1.1",
+        "@pnpm/linuxstatic-x64": "11.1.1",
+        "@pnpm/macos-arm64": "11.1.1",
+        "@pnpm/win-arm64": "11.1.1",
+        "@pnpm/win-x64": "11.1.1"
       }
     },
     "node_modules/@pnpm/linux-arm64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/linux-arm64/-/linux-arm64-11.0.4.tgz",
-      "integrity": "sha512-Bz7V2sFypoGHX/t5w/w7jnCw5DCK3C8s5q8whHJJ3iS5kRznX3Q1F4LwSjjy+lsi777fHyNIvD7qtNmdt9IKoA==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-arm64/-/linux-arm64-11.1.1.tgz",
+      "integrity": "sha512-u9hs51XV0/gU5LLfNLoQsozGKIxNjxsh/0xPr+8Hny0M38psa4lBtwFvarL2bLToPIrtueQYi65LdlzRxITRyg==",
       "cpu": [
         "arm64"
       ],
@@ -55,9 +54,9 @@
       }
     },
     "node_modules/@pnpm/linux-x64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/linux-x64/-/linux-x64-11.0.4.tgz",
-      "integrity": "sha512-u0Yn1gytR1vKdPk6fYF500H8ZWQlj0cTuIQPp+5GYVPkMmA5bSw41RNIDPBfjDlE8ERmQWaQcrgmTcmTZ+n22A==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-x64/-/linux-x64-11.1.1.tgz",
+      "integrity": "sha512-yQO9i57oyJmIG22BjV7sqLUT2syKQohiku8yNZRgp7M6wsVkikpVLLVSpBifQnrI/P/roueKnWSUEESH1aPaoA==",
       "cpu": [
         "x64"
       ],
@@ -71,9 +70,9 @@
       }
     },
     "node_modules/@pnpm/linuxstatic-arm64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-arm64/-/linuxstatic-arm64-11.0.4.tgz",
-      "integrity": "sha512-0aitEcfhWNXNZhfJGt/kJaRvfcdtJzXZpV+toJN94kfawSJnhuawfnUSXMi/3m0G97HkJc7BH8rOz3sojUKt0g==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-arm64/-/linuxstatic-arm64-11.1.1.tgz",
+      "integrity": "sha512-FUZB8L9Z8L5m88G0RTx5AsHFr5yUQPW+28zQdTNUWxiLwj11FW/fOLodYdcNYHdNJFepsZyqt3aRnpiqIdZb2g==",
       "cpu": [
         "arm64"
       ],
@@ -90,9 +89,9 @@
       }
     },
     "node_modules/@pnpm/linuxstatic-x64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-x64/-/linuxstatic-x64-11.0.4.tgz",
-      "integrity": "sha512-xDJdeJ7D2YvDBy2/IH9lEqMKiSuZiV8190XKWOgQgxUGGeuW4z3j6Ewpl0S5bXsWuNjAgC+uCKp7Qp3P7cXAvw==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-x64/-/linuxstatic-x64-11.1.1.tgz",
+      "integrity": "sha512-I/z56hfa1zM5F/Unup/1NrgsA+dcptsKQ2TjJLFz3wHKDx0RLrfF7DB0Rkpnr5IoAZ33v0GFZjlGhkOtc9VFGw==",
       "cpu": [
         "x64"
       ],
@@ -109,9 +108,9 @@
       }
     },
     "node_modules/@pnpm/macos-arm64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/macos-arm64/-/macos-arm64-11.0.4.tgz",
-      "integrity": "sha512-dNR69jUARtGFuyyLE9VuyxhRUKC8MO/7/xIyAdeIMZAD5ej0Y/Ct0DYCa/FLbgFL1nXaXmp4+gRMfJBkkrKfQQ==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-arm64/-/macos-arm64-11.1.1.tgz",
+      "integrity": "sha512-YQu6fC27F4jTIpXhF+4PdzOV7uSnVVG9KUxj5W+AFj0XFlUvBw+I1NsoPCY6uV1nccxWpIAZOTZtSj8+hWPb8w==",
       "cpu": [
         "arm64"
       ],
@@ -124,26 +123,10 @@
         "url": "https://opencollective.com/pnpm"
       }
     },
-    "node_modules/@pnpm/macos-x64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/macos-x64/-/macos-x64-11.0.4.tgz",
-      "integrity": "sha512-RfyrxSBajeEU16dZsgFjbdagDV9F4HNCJfbBgm8IbGjL0+J95naM/VmCDLd6S3+1tISeI2MxtcyCxqjKJsD/BA==",
-      "cpu": [
-        "x64"
-      ],
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "funding": {
-        "url": "https://opencollective.com/pnpm"
-      }
-    },
     "node_modules/@pnpm/win-arm64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/win-arm64/-/win-arm64-11.0.4.tgz",
-      "integrity": "sha512-fOQEv8b9KxZlUAxPPXSQQUUIrt2nY24Qwd4RzCPpatacBnsE4JIadlr/B4V5z2zFxmV7FdHr7nYUhv2RqTlY/w==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-arm64/-/win-arm64-11.1.1.tgz",
+      "integrity": "sha512-2HvZut3IcKPxzIfOjBJ4677PaLIh57mWccL86O+q71QhO5emnQvht0CE19IoEyUIOEe1WjlN+Su/dD5k6CuGyg==",
       "cpu": [
         "arm64"
       ],
@@ -157,9 +140,9 @@
       }
     },
     "node_modules/@pnpm/win-x64": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/@pnpm/win-x64/-/win-x64-11.0.4.tgz",
-      "integrity": "sha512-pErHAV8m3NZuPSeCmH3senTSHX0nwkH5lLzQSpiFuyt08hq8sqL3jDymT4ri9N7ixPN9RFZghZIiT3h+Croaew==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-x64/-/win-x64-11.1.1.tgz",
+      "integrity": "sha512-QXBIBErgPhGLovOVzTRIpHsejFKebyqlcF3fea/TfH87gkhN5yWH0WuTPRBoOWvpk6aNhjDW4RPUMx8RaPqxjw==",
       "cpu": [
         "x64"
       ],

src/install-pnpm/bootstrap/pnpm-lock.json

@@ -5,13 +5,13 @@
   "packages": {
     "": {
       "dependencies": {
-        "pnpm": "11.0.4"
+        "pnpm": "11.1.1"
       }
     },
     "node_modules/pnpm": {
-      "version": "11.0.4",
-      "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-11.0.4.tgz",
-      "integrity": "sha512-CjlxZQB6AU7VKRmmHl9GxIubyohATDA+yuzGP2Le9WOJjTxril1epYEes5jP4DqwXaGlzpY/Em1erUwC+TuDww==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-11.1.1.tgz",
+      "integrity": "sha512-0f319zxhe2T6GlaoHDyN/g6WbjOmAQqiVrUXrne+Idk+Ba/8DeGoOw5PKdVp9otEaujwaM1yR8C7PfD7TXvfmg==",
       "license": "MIT",
       "bin": {
         "pn": "bin/pnpm.mjs",

src/pnpm-install/index.ts

@@ -1,11 +1,8 @@
 import { setFailed, startGroup, endGroup } from '@actions/core'
 import { spawnSync } from 'child_process'
 import { Inputs } from '../inputs'
-import { patchPnpmEnv } from '../utils'
 
 export function runPnpmInstall(inputs: Inputs) {
-  const env = patchPnpmEnv(inputs)
-
   for (const options of inputs.runInstall) {
     const args = ['install']
     if (options.recursive) args.unshift('recursive')
@@ -14,11 +11,16 @@ export function runPnpmInstall(inputs: Inputs) {
     const cmdStr = ['pnpm', ...args].join(' ')
     startGroup(`Running ${cmdStr}...`)
 
+    // spawnSync inherits process.env, which already has $PNPM_HOME/bin and
+    // $PNPM_HOME prepended via addPath() in install-pnpm. Do NOT pass a
+    // hand-patched env that adds node_modules/.bin to the front — on
+    // Windows standalone, .bin/pnpm.cmd is an npm shim pointing at the
+    // BOOTSTRAP pnpm, which would shadow the self-updated one and break
+    // newer-pnpm-only behavior.
     const { error, status } = spawnSync('pnpm', args, {
       stdio: 'inherit',
       cwd: options.cwd,
       shell: true,
-      env,
     })
 
     endGroup()

src/pnpm-store-prune/index.ts

@@ -1,7 +1,6 @@
 import { warning, startGroup, endGroup } from '@actions/core'
 import { spawnSync } from 'child_process'
 import { Inputs } from '../inputs'
-import { patchPnpmEnv } from '../utils'
 
 export function pruneStore(inputs: Inputs) {
   if (inputs.runInstall.length === 0) {
@@ -10,10 +9,11 @@ export function pruneStore(inputs: Inputs) {
   }
 
   startGroup('Running pnpm store prune...')
+  // spawnSync inherits process.env (which has the right PATH from addPath
+  // in install-pnpm). See pnpm-install/index.ts for the rationale.
   const { error, status } = spawnSync('pnpm', ['store', 'prune'], {
     stdio: 'inherit',
     shell: true,
-    env: patchPnpmEnv(inputs),
   })
   endGroup()
 

src/utils/index.ts

@@ -1,10 +0,0 @@
-import path from 'path'
-import process from 'process'
-import { Inputs } from '../inputs'
-
-export const getBinDest = (inputs: Inputs): string => path.join(inputs.dest, 'node_modules', '.bin')
-
-export const patchPnpmEnv = (inputs: Inputs): NodeJS.ProcessEnv => ({
-  ...process.env,
-  PATH: path.join(getBinDest(inputs), 'bin') + path.delimiter + getBinDest(inputs) + path.delimiter + process.env.PATH,
-})