diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index faf0b1c..39511b6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,11 +15,11 @@ jobs: name: Lint & Format runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: pnpm/action-setup@v4 + - uses: actions/checkout@v7 + - uses: pnpm/action-setup@v6 with: - version: latest - - uses: actions/setup-node@v4 + version: 10 + - uses: actions/setup-node@v6 with: node-version: 22 cache: pnpm @@ -31,11 +31,11 @@ jobs: name: Type Check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: pnpm/action-setup@v4 + - uses: actions/checkout@v7 + - uses: pnpm/action-setup@v6 with: - version: latest - - uses: actions/setup-node@v4 + version: 10 + - uses: actions/setup-node@v6 with: node-version: 22 cache: pnpm @@ -47,18 +47,18 @@ jobs: name: Test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: pnpm/action-setup@v4 + - uses: actions/checkout@v7 + - uses: pnpm/action-setup@v6 with: - version: latest - - uses: actions/setup-node@v4 + version: 10 + - uses: actions/setup-node@v6 with: node-version: 22 cache: pnpm cache-dependency-path: app/pnpm-lock.yaml - run: pnpm install --frozen-lockfile - run: pnpm test - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v7 if: always() with: name: coverage-report @@ -70,11 +70,11 @@ jobs: runs-on: ubuntu-latest needs: [lint, typecheck, test] steps: - - uses: actions/checkout@v4 - - uses: pnpm/action-setup@v4 + - uses: actions/checkout@v7 + - uses: pnpm/action-setup@v6 with: - version: latest - - uses: actions/setup-node@v4 + version: 10 + - uses: actions/setup-node@v6 with: node-version: 22 cache: pnpm diff --git a/app/pnpm-workspace.yaml b/app/pnpm-workspace.yaml index f1823ff..4a0c0ff 100644 --- a/app/pnpm-workspace.yaml +++ b/app/pnpm-workspace.yaml @@ -1,6 +1,13 @@ -# pnpm build-script approval. pnpm v11 replaced onlyBuiltDependencies with -# `allowBuilds`; this allows esbuild's (and sharp's) postinstall so CI's -# `pnpm install --frozen-lockfile` passes instead of ERR_PNPM_IGNORED_BUILDS. -allowBuilds: - esbuild: true - sharp: true +# Approve the dependencies allowed to run install/build scripts during +# `pnpm install` (pnpm blocks dependency build scripts by default). This is +# pnpm v10's documented mechanism — https://pnpm.io/settings#onlybuiltdependencies +# — so CI's `pnpm install --frozen-lockfile` runs them and exits 0 instead of +# failing with ERR_PNPM_IGNORED_BUILDS. +# +# The pnpm major is pinned to 10 in .github/workflows/ci.yml because pnpm v11 +# renames this key to `allowBuilds` (and ignores `onlyBuiltDependencies`); keep +# the two in sync. esbuild ships a native postinstall; sharp is listed +# defensively (it uses prebuilt @img/* binaries today, with no install script). +onlyBuiltDependencies: + - esbuild + - sharp