From d31368a2d90b645edfd2955b82804779d988f4d6 Mon Sep 17 00:00:00 2001 From: Paul Mulligan Date: Sat, 27 Jun 2026 11:33:27 -0400 Subject: [PATCH] fix(ci): pin pnpm to v10 and approve builds via onlyBuiltDependencies CI's `pnpm/action-setup version: latest` floated onto pnpm 11, which hard-fails `pnpm install --frozen-lockfile` with ERR_PNPM_IGNORED_BUILDS on unapproved native build scripts (esbuild). pnpm 11 also ignores the documented v10 `onlyBuiltDependencies` key (it renames it to `allowBuilds`), so the prior `allowBuilds` workaround was inert on v10 and the approval mechanism is version-dependent. - Pin pnpm/action-setup@v6 with version: 10 in all jobs (was @v4 latest) - Replace non-standard allowBuilds with documented onlyBuiltDependencies (esbuild, sharp) in app/pnpm-workspace.yaml - Bump checkout@v7, setup-node@v6, upload-artifact@v7 (clears the Node 20 deprecation warning) Verified locally on pnpm 10.15.1: frozen install exits 0 and runs esbuild's build script; lockfile unchanged (frozen-lockfile stays valid). Reproduced the original ERR_PNPM_IGNORED_BUILDS failure on pnpm 11.9.0. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/ci.yml | 34 +++++++++++++++++----------------- app/pnpm-workspace.yaml | 19 +++++++++++++------ 2 files changed, 30 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index faf0b1c..39511b6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,11 +15,11 @@ jobs: name: Lint & Format runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: pnpm/action-setup@v4 + - uses: actions/checkout@v7 + - uses: pnpm/action-setup@v6 with: - version: latest - - uses: actions/setup-node@v4 + version: 10 + - uses: actions/setup-node@v6 with: node-version: 22 cache: pnpm @@ -31,11 +31,11 @@ jobs: name: Type Check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: pnpm/action-setup@v4 + - uses: actions/checkout@v7 + - uses: pnpm/action-setup@v6 with: - version: latest - - uses: actions/setup-node@v4 + version: 10 + - uses: actions/setup-node@v6 with: node-version: 22 cache: pnpm @@ -47,18 +47,18 @@ jobs: name: Test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: pnpm/action-setup@v4 + - uses: actions/checkout@v7 + - uses: pnpm/action-setup@v6 with: - version: latest - - uses: actions/setup-node@v4 + version: 10 + - uses: actions/setup-node@v6 with: node-version: 22 cache: pnpm cache-dependency-path: app/pnpm-lock.yaml - run: pnpm install --frozen-lockfile - run: pnpm test - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v7 if: always() with: name: coverage-report @@ -70,11 +70,11 @@ jobs: runs-on: ubuntu-latest needs: [lint, typecheck, test] steps: - - uses: actions/checkout@v4 - - uses: pnpm/action-setup@v4 + - uses: actions/checkout@v7 + - uses: pnpm/action-setup@v6 with: - version: latest - - uses: actions/setup-node@v4 + version: 10 + - uses: actions/setup-node@v6 with: node-version: 22 cache: pnpm diff --git a/app/pnpm-workspace.yaml b/app/pnpm-workspace.yaml index f1823ff..4a0c0ff 100644 --- a/app/pnpm-workspace.yaml +++ b/app/pnpm-workspace.yaml @@ -1,6 +1,13 @@ -# pnpm build-script approval. pnpm v11 replaced onlyBuiltDependencies with -# `allowBuilds`; this allows esbuild's (and sharp's) postinstall so CI's -# `pnpm install --frozen-lockfile` passes instead of ERR_PNPM_IGNORED_BUILDS. -allowBuilds: - esbuild: true - sharp: true +# Approve the dependencies allowed to run install/build scripts during +# `pnpm install` (pnpm blocks dependency build scripts by default). This is +# pnpm v10's documented mechanism — https://pnpm.io/settings#onlybuiltdependencies +# — so CI's `pnpm install --frozen-lockfile` runs them and exits 0 instead of +# failing with ERR_PNPM_IGNORED_BUILDS. +# +# The pnpm major is pinned to 10 in .github/workflows/ci.yml because pnpm v11 +# renames this key to `allowBuilds` (and ignores `onlyBuiltDependencies`); keep +# the two in sync. esbuild ships a native postinstall; sharp is listed +# defensively (it uses prebuilt @img/* binaries today, with no install script). +onlyBuiltDependencies: + - esbuild + - sharp