fix(ci): pin pnpm to v10 and approve builds via onlyBuiltDependencies#3
Merged
Conversation
CI's `pnpm/action-setup version: latest` floated onto pnpm 11, which hard-fails `pnpm install --frozen-lockfile` with ERR_PNPM_IGNORED_BUILDS on unapproved native build scripts (esbuild). pnpm 11 also ignores the documented v10 `onlyBuiltDependencies` key (it renames it to `allowBuilds`), so the prior `allowBuilds` workaround was inert on v10 and the approval mechanism is version-dependent. - Pin pnpm/action-setup@v6 with version: 10 in all jobs (was @v4 latest) - Replace non-standard allowBuilds with documented onlyBuiltDependencies (esbuild, sharp) in app/pnpm-workspace.yaml - Bump checkout@v7, setup-node@v6, upload-artifact@v7 (clears the Node 20 deprecation warning) Verified locally on pnpm 10.15.1: frozen install exits 0 and runs esbuild's build script; lockfile unchanged (frozen-lockfile stays valid). Reproduced the original ERR_PNPM_IGNORED_BUILDS failure on pnpm 11.9.0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Root cause
CI's
pnpm/action-setup@v4usedversion: latest, which floated onto pnpm 11. pnpm 11 hard-failspnpm install --frozen-lockfilewithERR_PNPM_IGNORED_BUILDSwhen a dependency has an unapproved native build script (esbuild). The earlierallowBuilds:workaround is a pnpm v11-only key that is silently ignored on v10 — and v11 in turn ignores the documented v10onlyBuiltDependencieskey. So the approval mechanism is version-dependent, and a floating pnpm version can re-break it at any time.One-line: pnpm v10+ blocks dependency build scripts; standardized on the documented
onlyBuiltDependenciesapproval and pinned pnpm to v10 (v11 renames the key toallowBuilds).Fix
pnpm/action-setup@v6withversion: 10in all four jobs (was@v4version: latest). NopackageManagerfield added, soversion: 10is the single source of truth.allowBuilds:withonlyBuiltDependencies: [esbuild, sharp]inapp/pnpm-workspace.yaml.actions/checkout@v7,actions/setup-node@v6,actions/upload-artifact@v7.No lockfile regeneration required (
--frozen-lockfilestays valid). No masking flags (no|| true, no--no-frozen-lockfile, no disabled checks).Verification (local, reproduced before & after)
ERR_PNPM_IGNORED_BUILDS, exit 1 — reproduces the original failureonlyBuiltDependenciesonlyBuiltDependenciesapp/, committed filesNote:
sharp@0.35.2has no install-time script (prebuilt@img/*binaries); it is listed defensively. The action major bumps use only standard inputs but can't be exercised locally — they'll be confirmed on first CI run.🤖 Generated with Claude Code