Skip to content

fix(ci): pin pnpm to v10 and approve builds via onlyBuiltDependencies#3

Merged
PAMulligan merged 1 commit into
mainfrom
fix/ci-pnpm-build-approval
Jun 27, 2026
Merged

fix(ci): pin pnpm to v10 and approve builds via onlyBuiltDependencies#3
PAMulligan merged 1 commit into
mainfrom
fix/ci-pnpm-build-approval

Conversation

@PAMulligan

Copy link
Copy Markdown
Contributor

Root cause

CI's pnpm/action-setup@v4 used version: latest, which floated onto pnpm 11. pnpm 11 hard-fails pnpm install --frozen-lockfile with ERR_PNPM_IGNORED_BUILDS when a dependency has an unapproved native build script (esbuild). The earlier allowBuilds: workaround is a pnpm v11-only key that is silently ignored on v10 — and v11 in turn ignores the documented v10 onlyBuiltDependencies key. So the approval mechanism is version-dependent, and a floating pnpm version can re-break it at any time.

One-line: pnpm v10+ blocks dependency build scripts; standardized on the documented onlyBuiltDependencies approval and pinned pnpm to v10 (v11 renames the key to allowBuilds).

Fix

  • Pin pnpm to v10pnpm/action-setup@v6 with version: 10 in all four jobs (was @v4 version: latest). No packageManager field added, so version: 10 is the single source of truth.
  • Documented approval — replaced allowBuilds: with onlyBuiltDependencies: [esbuild, sharp] in app/pnpm-workspace.yaml.
  • Clear Node 20 deprecation — bumped actions/checkout@v7, actions/setup-node@v6, actions/upload-artifact@v7.

No lockfile regeneration required (--frozen-lockfile stays valid). No masking flags (no || true, no --no-frozen-lockfile, no disabled checks).

Verification (local, reproduced before & after)

pnpm config result
11.9.0 none ERR_PNPM_IGNORED_BUILDS, exit 1 — reproduces the original failure
11.9.0 onlyBuiltDependencies ❌ exit 1 — v11 ignores this key
10.15.1 none ⚠️ warning, exit 0
10.15.1 onlyBuiltDependencies ✅ esbuild postinstall runs, exit 0, lockfile valid
real app/, committed files ✅ exit 0, no warning, no approve-builds prompt; esbuild binary verified working

Note: sharp@0.35.2 has no install-time script (prebuilt @img/* binaries); it is listed defensively. The action major bumps use only standard inputs but can't be exercised locally — they'll be confirmed on first CI run.

🤖 Generated with Claude Code

CI's `pnpm/action-setup version: latest` floated onto pnpm 11, which
hard-fails `pnpm install --frozen-lockfile` with ERR_PNPM_IGNORED_BUILDS
on unapproved native build scripts (esbuild). pnpm 11 also ignores the
documented v10 `onlyBuiltDependencies` key (it renames it to `allowBuilds`),
so the prior `allowBuilds` workaround was inert on v10 and the approval
mechanism is version-dependent.

- Pin pnpm/action-setup@v6 with version: 10 in all jobs (was @v4 latest)
- Replace non-standard allowBuilds with documented onlyBuiltDependencies
  (esbuild, sharp) in app/pnpm-workspace.yaml
- Bump checkout@v7, setup-node@v6, upload-artifact@v7 (clears the Node 20
  deprecation warning)

Verified locally on pnpm 10.15.1: frozen install exits 0 and runs esbuild's
build script; lockfile unchanged (frozen-lockfile stays valid). Reproduced
the original ERR_PNPM_IGNORED_BUILDS failure on pnpm 11.9.0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@PAMulligan PAMulligan merged commit bed7968 into main Jun 27, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant