From c9eb412a69103dd68206924507aad853b8a2c2fc Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 9 Jun 2026 09:57:46 +0000 Subject: [PATCH 1/7] feat!: replace bundled pnpm binary with npm + lockfile bootstrap (#212) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat!: replace bundled pnpm binary with npm + lockfile bootstrap Remove the 9MB bundled pnpm.cjs/worker.js and instead use npm ci with committed package-lock.json files (~5KB) to install a bootstrap pnpm, which then installs the target version with integrity verification via the project's pnpm-lock.yaml. Also switch from ncc to esbuild and modernize to ESM. Co-Authored-By: Claude Opus 4.6 * fix: bundle as CJS to support @actions/* packages The @actions/* packages use CJS require() for Node.js builtins, which fails with "Dynamic require of 'os' is not supported" when bundled as ESM. Switch esbuild output to CJS format. Co-Authored-By: Claude Opus 4.6 * fix: remove "type": "module" from package.json Node.js treats dist/index.js as ESM due to "type": "module", but the bundle uses CJS require() calls. Remove the field so Node.js defaults to CJS for .js files. Co-Authored-By: Claude Opus 4.6 * fix: remove packageManager field and fix Windows npm spawn - Remove packageManager from package.json to avoid version conflict when the action tests against itself (uses: ./) - Use shell: true on Windows so spawn can find npm.cmd Co-Authored-By: Claude Opus 4.6 * fix: always use pnpm (not @pnpm/exe) for bootstrap and update lockfile The bootstrap only needs regular pnpm to install the target package. @pnpm/exe requires install scripts which we skip with --ignore-scripts. Also regenerate pnpm-lock.yaml to match current package.json. Co-Authored-By: Claude Opus 4.6 * fix: use --no-lockfile for target install --lockfile-dir pointing to GITHUB_WORKSPACE causes the bootstrap pnpm to use the project's pnpm-lock.yaml (which tracks project deps, not pnpm itself), corrupting the install. Revert to --no-lockfile for now. Lockfile-based integrity verification can be added when pnpm v11 has proper support for verifying the pnpm package itself. Co-Authored-By: Claude Opus 4.6 * fix: run bootstrap pnpm via node instead of bin shim Use `node .../pnpm/bin/pnpm.cjs` to run the bootstrap pnpm, matching the approach used by the old bundled pnpm.cjs. This avoids issues with the .bin symlink on different platforms. Co-Authored-By: Claude Opus 4.6 * refactor: use pnpm self-update instead of installing target separately - Bootstrap pnpm via npm ci (verified by lockfile) - Use `pnpm self-update ` for explicit version - Let pnpm handle packageManager field automatically - Remove standalone/exe-specific install logic (pnpm handles this) - Update tests to not run pnpm install against the action repo itself Co-Authored-By: Claude Opus 4.6 * feat: support standalone mode with @pnpm/exe bootstrap - When standalone=true, bootstrap with @pnpm/exe via npm ci - When standalone=false, bootstrap with pnpm via npm ci - Both use pnpm self-update to reach the target version - Remove --ignore-scripts from npm ci so @pnpm/exe install scripts run - Add standalone test back to CI Co-Authored-By: Claude Opus 4.6 * debug: add logging to diagnose pnpm not found on PATH Log .bin directory contents after npm ci to understand why pnpm binary is not found in subsequent CI steps. Co-Authored-By: Claude Opus 4.6 * fix: ensure pnpm bin link exists after npm ci npm ci sometimes doesn't create the .bin/pnpm symlink for @pnpm/exe (observed on Linux CI). Manually create the symlink if it's missing after npm ci completes. This fixes the case where standalone=true with no explicit version (relying on packageManager field) — pnpm self-update wouldn't run, leaving .bin empty and pnpm not found on PATH. Co-Authored-By: Claude Opus 4.6 * fix: add PNPM_HOME/bin to PATH for pnpm v11 pnpm v11 moved global binaries from PNPM_HOME to PNPM_HOME/bin. Add the new bin subdirectory to PATH so that pnpm's global bin directory check passes. This is backwards compatible — the extra PATH entry is harmless for older pnpm versions. Co-Authored-By: Claude Opus 4.6 (1M context) * fix: add packages field to pnpm-workspace.yaml pnpm v9 requires the packages field in pnpm-workspace.yaml. Without it, `pnpm --version` fails with "packages field missing or empty". Co-Authored-By: Claude Opus 4.6 (1M context) * fix pnpm-workspace.yaml --------- Co-authored-by: Claude Opus 4.6 --- src/install-pnpm/run.ts | 118 +++++++++++++++++++++++----------------- 1 file changed, 68 insertions(+), 50 deletions(-) diff --git a/src/install-pnpm/run.ts b/src/install-pnpm/run.ts index 005c500..0c20f6d 100644 --- a/src/install-pnpm/run.ts +++ b/src/install-pnpm/run.ts @@ -1,63 +1,76 @@ import { addPath, exportVariable } from '@actions/core' import { spawn } from 'child_process' -import { rm, writeFile, mkdir, copyFile } from 'fs/promises' -import { readFileSync } from 'fs' +import { rm, writeFile, mkdir, symlink } from 'fs/promises' +import { readFileSync, existsSync } from 'fs' import path from 'path' -import { execPath } from 'process' import util from 'util' import { Inputs } from '../inputs' import { parse as parseYaml } from 'yaml' +import pnpmLock from './bootstrap/pnpm-lock.json' +import exeLock from './bootstrap/exe-lock.json' + +const BOOTSTRAP_PNPM_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { pnpm: pnpmLock.packages['node_modules/pnpm'].version } }) +const BOOTSTRAP_EXE_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { '@pnpm/exe': exeLock.packages['node_modules/@pnpm/exe'].version } }) export async function runSelfInstaller(inputs: Inputs): Promise { const { version, dest, packageJsonFile, standalone } = inputs - const { GITHUB_WORKSPACE } = process.env - // prepare self install + // Install bootstrap pnpm via npm (integrity verified by committed lockfile) await rm(dest, { recursive: true, force: true }) - // create dest directory after removal await mkdir(dest, { recursive: true }) - const pkgJson = path.join(dest, 'package.json') - // we have ensured the dest directory exists, we can write the file directly - await writeFile(pkgJson, JSON.stringify({ private: true })) - // copy .npmrc if it exists to install from custom registry - if (GITHUB_WORKSPACE) { - try { - await copyFile(path.join(GITHUB_WORKSPACE, '.npmrc'), path.join(dest, '.npmrc')) - } catch (error) { - // Swallow error if .npmrc doesn't exist - if (!util.types.isNativeError(error) || !('code' in error) || error.code !== 'ENOENT') throw error - } + const lockfile = standalone ? exeLock : pnpmLock + const packageJson = standalone ? BOOTSTRAP_EXE_PACKAGE_JSON : BOOTSTRAP_PNPM_PACKAGE_JSON + await writeFile(path.join(dest, 'package.json'), packageJson) + await writeFile(path.join(dest, 'package-lock.json'), JSON.stringify(lockfile)) + + const npmExitCode = await runCommand('npm', ['ci'], { cwd: dest }) + if (npmExitCode !== 0) { + return npmExitCode } - // prepare target pnpm - const target = await readTarget({ version, packageJsonFile, standalone }) - const cp = spawn(execPath, [path.join(__dirname, 'pnpm.cjs'), 'install', target, '--no-lockfile'], { - cwd: dest, - stdio: ['pipe', 'inherit', 'inherit'], - }) + const pnpmHome = path.join(dest, 'node_modules', '.bin') + addPath(pnpmHome) + addPath(path.join(pnpmHome, 'bin')) + exportVariable('PNPM_HOME', pnpmHome) + + // Ensure pnpm bin link exists — npm ci sometimes doesn't create it + const pnpmBinLink = path.join(pnpmHome, 'pnpm') + if (!existsSync(pnpmBinLink)) { + await mkdir(pnpmHome, { recursive: true }) + const target = standalone + ? path.join('..', '@pnpm', 'exe', 'pnpm') + : path.join('..', 'pnpm', 'bin', 'pnpm.cjs') + await symlink(target, pnpmBinLink) + } - const exitCode = await new Promise((resolve, reject) => { - cp.on('error', reject) - cp.on('close', resolve) - }) - if (exitCode === 0) { - const pnpmHome = path.join(dest, 'node_modules/.bin') - addPath(pnpmHome) - exportVariable('PNPM_HOME', pnpmHome) + const bootstrapPnpm = standalone + ? path.join(dest, 'node_modules', '@pnpm', 'exe', 'pnpm') + : path.join(dest, 'node_modules', 'pnpm', 'bin', 'pnpm.cjs') + + // Determine the target version + const targetVersion = readTargetVersion({ version, packageJsonFile }) + + if (targetVersion) { + const cmd = standalone ? bootstrapPnpm : process.execPath + const args = standalone ? ['self-update', targetVersion] : [bootstrapPnpm, 'self-update', targetVersion] + const exitCode = await runCommand(cmd, args, { cwd: dest }) + if (exitCode !== 0) { + return exitCode + } } - return exitCode + + return 0 } -async function readTarget(opts: { +function readTargetVersion(opts: { readonly version?: string | undefined readonly packageJsonFile: string - readonly standalone: boolean -}) { - const { version, packageJsonFile, standalone } = opts +}): string | undefined { + const { version, packageJsonFile } = opts const { GITHUB_WORKSPACE } = process.env - let packageManager + let packageManager: unknown if (GITHUB_WORKSPACE) { try { @@ -84,7 +97,12 @@ async function readTarget(opts: { Remove one of these versions to avoid version mismatch errors like ERR_PNPM_BAD_PM_VERSION`) } - return `${ standalone ? '@pnpm/exe' : 'pnpm' }@${version}` + return version + } + + if (typeof packageManager === 'string' && packageManager.startsWith('pnpm@')) { + // pnpm will handle version management via packageManager field + return undefined } if (!GITHUB_WORKSPACE) { @@ -94,22 +112,22 @@ please run the actions/checkout before pnpm/action-setup. Otherwise, please specify the pnpm version in the action configuration.`) } - if (typeof packageManager !== 'string') { - throw new Error(`No pnpm version is specified. + throw new Error(`No pnpm version is specified. Please specify it by one of the following ways: - in the GitHub Action config with the key "version" - in the package.json with the key "packageManager"`) - } - - if (!packageManager.startsWith('pnpm@')) { - throw new Error('Invalid packageManager field in package.json') - } - - if (standalone) { - return packageManager.replace('pnpm@', '@pnpm/exe@') - } +} - return packageManager +function runCommand(cmd: string, args: string[], opts: { cwd: string }): Promise { + return new Promise((resolve, reject) => { + const cp = spawn(cmd, args, { + cwd: opts.cwd, + stdio: ['pipe', 'inherit', 'inherit'], + shell: process.platform === 'win32', + }) + cp.on('error', reject) + cp.on('close', resolve) + }) } export default runSelfInstaller From 532d80d8a6bfa2aaf69f8984f19c01152542e4d4 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 9 Jun 2026 09:57:47 +0000 Subject: [PATCH 2/7] feat!: replace bundled pnpm binary with npm + lockfile bootstrap (#212) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat!: replace bundled pnpm binary with npm + lockfile bootstrap Remove the 9MB bundled pnpm.cjs/worker.js and instead use npm ci with committed package-lock.json files (~5KB) to install a bootstrap pnpm, which then installs the target version with integrity verification via the project's pnpm-lock.yaml. Also switch from ncc to esbuild and modernize to ESM. Co-Authored-By: Claude Opus 4.6 * fix: bundle as CJS to support @actions/* packages The @actions/* packages use CJS require() for Node.js builtins, which fails with "Dynamic require of 'os' is not supported" when bundled as ESM. Switch esbuild output to CJS format. Co-Authored-By: Claude Opus 4.6 * fix: remove "type": "module" from package.json Node.js treats dist/index.js as ESM due to "type": "module", but the bundle uses CJS require() calls. Remove the field so Node.js defaults to CJS for .js files. Co-Authored-By: Claude Opus 4.6 * fix: remove packageManager field and fix Windows npm spawn - Remove packageManager from package.json to avoid version conflict when the action tests against itself (uses: ./) - Use shell: true on Windows so spawn can find npm.cmd Co-Authored-By: Claude Opus 4.6 * fix: always use pnpm (not @pnpm/exe) for bootstrap and update lockfile The bootstrap only needs regular pnpm to install the target package. @pnpm/exe requires install scripts which we skip with --ignore-scripts. Also regenerate pnpm-lock.yaml to match current package.json. Co-Authored-By: Claude Opus 4.6 * fix: use --no-lockfile for target install --lockfile-dir pointing to GITHUB_WORKSPACE causes the bootstrap pnpm to use the project's pnpm-lock.yaml (which tracks project deps, not pnpm itself), corrupting the install. Revert to --no-lockfile for now. Lockfile-based integrity verification can be added when pnpm v11 has proper support for verifying the pnpm package itself. Co-Authored-By: Claude Opus 4.6 * fix: run bootstrap pnpm via node instead of bin shim Use `node .../pnpm/bin/pnpm.cjs` to run the bootstrap pnpm, matching the approach used by the old bundled pnpm.cjs. This avoids issues with the .bin symlink on different platforms. Co-Authored-By: Claude Opus 4.6 * refactor: use pnpm self-update instead of installing target separately - Bootstrap pnpm via npm ci (verified by lockfile) - Use `pnpm self-update ` for explicit version - Let pnpm handle packageManager field automatically - Remove standalone/exe-specific install logic (pnpm handles this) - Update tests to not run pnpm install against the action repo itself Co-Authored-By: Claude Opus 4.6 * feat: support standalone mode with @pnpm/exe bootstrap - When standalone=true, bootstrap with @pnpm/exe via npm ci - When standalone=false, bootstrap with pnpm via npm ci - Both use pnpm self-update to reach the target version - Remove --ignore-scripts from npm ci so @pnpm/exe install scripts run - Add standalone test back to CI Co-Authored-By: Claude Opus 4.6 * debug: add logging to diagnose pnpm not found on PATH Log .bin directory contents after npm ci to understand why pnpm binary is not found in subsequent CI steps. Co-Authored-By: Claude Opus 4.6 * fix: ensure pnpm bin link exists after npm ci npm ci sometimes doesn't create the .bin/pnpm symlink for @pnpm/exe (observed on Linux CI). Manually create the symlink if it's missing after npm ci completes. This fixes the case where standalone=true with no explicit version (relying on packageManager field) — pnpm self-update wouldn't run, leaving .bin empty and pnpm not found on PATH. Co-Authored-By: Claude Opus 4.6 * fix: add PNPM_HOME/bin to PATH for pnpm v11 pnpm v11 moved global binaries from PNPM_HOME to PNPM_HOME/bin. Add the new bin subdirectory to PATH so that pnpm's global bin directory check passes. This is backwards compatible — the extra PATH entry is harmless for older pnpm versions. Co-Authored-By: Claude Opus 4.6 (1M context) * fix: add packages field to pnpm-workspace.yaml pnpm v9 requires the packages field in pnpm-workspace.yaml. Without it, `pnpm --version` fails with "packages field missing or empty". Co-Authored-By: Claude Opus 4.6 (1M context) * fix pnpm-workspace.yaml --------- Co-authored-by: Claude Opus 4.6 --- src/utils/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/utils/index.ts b/src/utils/index.ts index efc5ea1..2d83874 100644 --- a/src/utils/index.ts +++ b/src/utils/index.ts @@ -6,5 +6,5 @@ export const getBinDest = (inputs: Inputs): string => path.join(inputs.dest, 'no export const patchPnpmEnv = (inputs: Inputs): NodeJS.ProcessEnv => ({ ...process.env, - PATH: getBinDest(inputs) + path.delimiter + process.env.PATH, + PATH: path.join(getBinDest(inputs), 'bin') + path.delimiter + getBinDest(inputs) + path.delimiter + process.env.PATH, }) From 7e508ecb56d3161ff78596c9a3861afd4801b7db Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 9 Jun 2026 09:57:49 +0000 Subject: [PATCH 3/7] fix: extract pnpm version from packageManager field instead of returning undefined (#216) When packageManager is set to e.g. "pnpm@9.1.0+sha...", strip the "pnpm@" prefix and any "+sha..." hash suffix so the action installs the correct version. Previously returning undefined caused failures on Windows. --- src/install-pnpm/run.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/install-pnpm/run.ts b/src/install-pnpm/run.ts index 0c20f6d..6499130 100644 --- a/src/install-pnpm/run.ts +++ b/src/install-pnpm/run.ts @@ -101,8 +101,8 @@ Remove one of these versions to avoid version mismatch errors like ERR_PNPM_BAD_ } if (typeof packageManager === 'string' && packageManager.startsWith('pnpm@')) { - // pnpm will handle version management via packageManager field - return undefined + // Strip the "pnpm@" prefix and any "+sha..." hash suffix + return packageManager.replace('pnpm@', '').replace(/\+.*$/, '') } if (!GITHUB_WORKSPACE) { From b9fadf699ba7d7c50efcbffa7fc7f36f5cf66a30 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 9 Jun 2026 09:57:52 +0000 Subject: [PATCH 4/7] feat: read pnpm version from devEngines.packageManager (#211) * feat: read pnpm version from devEngines.packageManager field When no version is specified in the action config or the packageManager field of package.json, fall back to devEngines.packageManager. Co-Authored-By: Claude Opus 4.6 * feat: skip self-update for devEngines.packageManager and add CI tests pnpm auto-switches to the right version when devEngines.packageManager is set, so self-update is unnecessary. This also enables range support (e.g. ">=9.15.0") which self-update doesn't handle. --------- Co-authored-by: Claude Opus 4.6 --- src/install-pnpm/run.ts | 43 ++++++++++++++++++++++++++++++++--------- 1 file changed, 34 insertions(+), 9 deletions(-) diff --git a/src/install-pnpm/run.ts b/src/install-pnpm/run.ts index 6499130..c4a484a 100644 --- a/src/install-pnpm/run.ts +++ b/src/install-pnpm/run.ts @@ -13,7 +13,12 @@ const BOOTSTRAP_PNPM_PACKAGE_JSON = JSON.stringify({ private: true, dependencies const BOOTSTRAP_EXE_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { '@pnpm/exe': exeLock.packages['node_modules/@pnpm/exe'].version } }) export async function runSelfInstaller(inputs: Inputs): Promise { - const { version, dest, packageJsonFile, standalone } = inputs + const { version, dest, packageJsonFile } = inputs + + // pnpm v11 requires Node >= 22.13; use standalone (exe) bootstrap which + // bundles its own Node.js when the system Node is too old + const systemNode = await getSystemNodeVersion() + const standalone = inputs.standalone || systemNode.major < 22 || (systemNode.major === 22 && systemNode.minor < 13) // Install bootstrap pnpm via npm (integrity verified by committed lockfile) await rm(dest, { recursive: true, force: true }) @@ -40,13 +45,13 @@ export async function runSelfInstaller(inputs: Inputs): Promise { await mkdir(pnpmHome, { recursive: true }) const target = standalone ? path.join('..', '@pnpm', 'exe', 'pnpm') - : path.join('..', 'pnpm', 'bin', 'pnpm.cjs') + : path.join('..', 'pnpm', 'bin', 'pnpm.mjs') await symlink(target, pnpmBinLink) } const bootstrapPnpm = standalone ? path.join(dest, 'node_modules', '@pnpm', 'exe', 'pnpm') - : path.join(dest, 'node_modules', 'pnpm', 'bin', 'pnpm.cjs') + : path.join(dest, 'node_modules', 'pnpm', 'bin', 'pnpm.mjs') // Determine the target version const targetVersion = readTargetVersion({ version, packageJsonFile }) @@ -70,15 +75,17 @@ function readTargetVersion(opts: { const { version, packageJsonFile } = opts const { GITHUB_WORKSPACE } = process.env - let packageManager: unknown + let packageManager: string | undefined + let devEngines: { packageManager?: { name?: string; version?: string } } | undefined if (GITHUB_WORKSPACE) { try { const content = readFileSync(path.join(GITHUB_WORKSPACE, packageJsonFile), 'utf8'); - ({ packageManager } = packageJsonFile.endsWith(".yaml") + const manifest = packageJsonFile.endsWith(".yaml") ? parseYaml(content, { merge: true }) : JSON.parse(content) - ) + packageManager = manifest.packageManager + devEngines = manifest.devEngines } catch (error: unknown) { // Swallow error if package.json doesn't exist in root if (!util.types.isNativeError(error) || !('code' in error) || error.code !== 'ENOENT') throw error @@ -100,9 +107,13 @@ Remove one of these versions to avoid version mismatch errors like ERR_PNPM_BAD_ return version } + // pnpm will automatically download and switch to the right version if (typeof packageManager === 'string' && packageManager.startsWith('pnpm@')) { - // Strip the "pnpm@" prefix and any "+sha..." hash suffix - return packageManager.replace('pnpm@', '').replace(/\+.*$/, '') + return undefined + } + + if (devEngines?.packageManager?.name === 'pnpm' && devEngines.packageManager.version) { + return undefined } if (!GITHUB_WORKSPACE) { @@ -115,7 +126,21 @@ Otherwise, please specify the pnpm version in the action configuration.`) throw new Error(`No pnpm version is specified. Please specify it by one of the following ways: - in the GitHub Action config with the key "version" - - in the package.json with the key "packageManager"`) + - in the package.json with the key "packageManager" + - in the package.json with the key "devEngines.packageManager"`) +} + +function getSystemNodeVersion(): Promise<{ major: number; minor: number }> { + return new Promise((resolve) => { + const cp = spawn('node', ['--version'], { stdio: ['pipe', 'pipe', 'pipe'], shell: process.platform === 'win32' }) + let output = '' + cp.stdout.on('data', (data: Buffer) => { output += data.toString() }) + cp.on('close', () => { + const match = output.match(/^v(\d+)\.(\d+)/) + resolve(match ? { major: parseInt(match[1], 10), minor: parseInt(match[2], 10) } : { major: 0, minor: 0 }) + }) + cp.on('error', () => resolve({ major: 0, minor: 0 })) + }) } function runCommand(cmd: string, args: string[], opts: { cwd: string }): Promise { From 8db5dc4cca6acb83bffb91713f7c88e76cf996b5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 9 Jun 2026 09:57:53 +0000 Subject: [PATCH 5/7] =?UTF-8?q?fix:=20Windows=20standalone=20mode=20?= =?UTF-8?q?=E2=80=94=20bypass=20broken=20npm=20shims=20(#217)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: overwrite npm .cmd wrappers for @pnpm/exe on Windows npm creates .cmd wrappers that invoke bin entries through `node`, but @pnpm/exe bins are native executables, not JavaScript files. This causes pnpm commands to silently fail on Windows. * fix: copy pnpm.exe to .bin/ on Windows for standalone mode The .cmd wrapper approach didn't work because CMD doesn't properly wait for extensionless PE binaries. Instead, copy the actual .exe (and .cmd for pnpx) from @pnpm/exe into .bin/ so PATHEXT finds pnpm.exe directly, bypassing npm's broken node-wrapping shim. * fix: add @pnpm/exe dir to PATH on Windows instead of .bin shims On Windows, npm's .bin shims can't properly execute the extensionless native binaries from @pnpm/exe. Instead of trying to fix the shims, add the @pnpm/exe directory directly to PATH where pnpm.exe lives. * test: validate pnpm --version output in CI All version checks now capture output and assert it matches a semver pattern. Previously, a silently failing pnpm (exit 0, no output) would pass the tests. * debug: log pnpm --version output during setup * fix: remove duplicate addPath in setOutputs that shadowed pnpm.exe setOutputs called addPath(node_modules/.bin) AFTER installPnpm had already added the correct path (@pnpm/exe on Windows). Since GITHUB_PATH entries are prepended, .bin ended up first in PATH, causing PowerShell to find npm's broken shims instead of pnpm.exe. * fix: add PNPM_HOME/bin to PATH on all platforms * fix: address review feedback — PATH ordering and regex anchoring - Swap addPath order so pnpmHome (with pnpm.exe) is prepended last and has highest precedence over pnpmHome/bin. - Anchor version regex with $ and allow prerelease suffixes. --- src/install-pnpm/run.ts | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/src/install-pnpm/run.ts b/src/install-pnpm/run.ts index c4a484a..1a847af 100644 --- a/src/install-pnpm/run.ts +++ b/src/install-pnpm/run.ts @@ -34,23 +34,33 @@ export async function runSelfInstaller(inputs: Inputs): Promise { return npmExitCode } - const pnpmHome = path.join(dest, 'node_modules', '.bin') - addPath(pnpmHome) + // On Windows with standalone mode, npm's .bin shims can't properly + // execute the extensionless @pnpm/exe native binaries. Add the + // @pnpm/exe directory directly to PATH so pnpm.exe is found natively. + const pnpmHome = standalone && process.platform === 'win32' + ? path.join(dest, 'node_modules', '@pnpm', 'exe') + : path.join(dest, 'node_modules', '.bin') + // pnpm expects PNPM_HOME/bin in PATH for global binaries (e.g. node + // installed via `pnpm runtime`). Add it first so the next addPath + // (pnpmHome itself, which contains pnpm.exe) has higher precedence. addPath(path.join(pnpmHome, 'bin')) + addPath(pnpmHome) exportVariable('PNPM_HOME', pnpmHome) // Ensure pnpm bin link exists — npm ci sometimes doesn't create it - const pnpmBinLink = path.join(pnpmHome, 'pnpm') - if (!existsSync(pnpmBinLink)) { - await mkdir(pnpmHome, { recursive: true }) - const target = standalone - ? path.join('..', '@pnpm', 'exe', 'pnpm') - : path.join('..', 'pnpm', 'bin', 'pnpm.mjs') - await symlink(target, pnpmBinLink) + if (process.platform !== 'win32') { + const pnpmBinLink = path.join(dest, 'node_modules', '.bin', 'pnpm') + if (!existsSync(pnpmBinLink)) { + await mkdir(path.join(dest, 'node_modules', '.bin'), { recursive: true }) + const target = standalone + ? path.join('..', '@pnpm', 'exe', 'pnpm') + : path.join('..', 'pnpm', 'bin', 'pnpm.mjs') + await symlink(target, pnpmBinLink) + } } const bootstrapPnpm = standalone - ? path.join(dest, 'node_modules', '@pnpm', 'exe', 'pnpm') + ? path.join(dest, 'node_modules', '@pnpm', 'exe', process.platform === 'win32' ? 'pnpm.exe' : 'pnpm') : path.join(dest, 'node_modules', 'pnpm', 'bin', 'pnpm.mjs') // Determine the target version From bec3325aaa8ee6f0ac8d214c2800a7a82c0d4cf8 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 9 Jun 2026 09:57:54 +0000 Subject: [PATCH 6/7] =?UTF-8?q?fix:=20Windows=20standalone=20mode=20?= =?UTF-8?q?=E2=80=94=20bypass=20broken=20npm=20shims=20(#217)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: overwrite npm .cmd wrappers for @pnpm/exe on Windows npm creates .cmd wrappers that invoke bin entries through `node`, but @pnpm/exe bins are native executables, not JavaScript files. This causes pnpm commands to silently fail on Windows. * fix: copy pnpm.exe to .bin/ on Windows for standalone mode The .cmd wrapper approach didn't work because CMD doesn't properly wait for extensionless PE binaries. Instead, copy the actual .exe (and .cmd for pnpx) from @pnpm/exe into .bin/ so PATHEXT finds pnpm.exe directly, bypassing npm's broken node-wrapping shim. * fix: add @pnpm/exe dir to PATH on Windows instead of .bin shims On Windows, npm's .bin shims can't properly execute the extensionless native binaries from @pnpm/exe. Instead of trying to fix the shims, add the @pnpm/exe directory directly to PATH where pnpm.exe lives. * test: validate pnpm --version output in CI All version checks now capture output and assert it matches a semver pattern. Previously, a silently failing pnpm (exit 0, no output) would pass the tests. * debug: log pnpm --version output during setup * fix: remove duplicate addPath in setOutputs that shadowed pnpm.exe setOutputs called addPath(node_modules/.bin) AFTER installPnpm had already added the correct path (@pnpm/exe on Windows). Since GITHUB_PATH entries are prepended, .bin ended up first in PATH, causing PowerShell to find npm's broken shims instead of pnpm.exe. * fix: add PNPM_HOME/bin to PATH on all platforms * fix: address review feedback — PATH ordering and regex anchoring - Swap addPath order so pnpmHome (with pnpm.exe) is prepended last and has highest precedence over pnpmHome/bin. - Anchor version regex with $ and allow prerelease suffixes. --- src/outputs/index.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/outputs/index.ts b/src/outputs/index.ts index e25a6b0..1d64199 100644 --- a/src/outputs/index.ts +++ b/src/outputs/index.ts @@ -1,10 +1,11 @@ -import { setOutput, addPath } from '@actions/core' +import { setOutput } from '@actions/core' import { Inputs } from '../inputs' import { getBinDest } from '../utils' export function setOutputs(inputs: Inputs) { const binDest = getBinDest(inputs) - addPath(binDest) + // NOTE: addPath is already called in installPnpm — do not call it again + // here, as a second addPath would shadow the correct entry on Windows. setOutput('dest', inputs.dest) setOutput('bin_dest', binDest) } From 6268ccf0346215d67d5a8c1a4b90d517fe5d6730 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 9 Jun 2026 09:57:57 +0000 Subject: [PATCH 7/7] README.md: bring versions up-to-date (#222) --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f9b5311..e1eedef 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ Version of pnpm to install. **Optional** when there is a [`packageManager` field in the `package.json`](https://nodejs.org/api/corepack.html). -otherwise, this field is **required** It supports npm versioning scheme, it could be an exact version (such as `6.24.1`), or a version range (such as `6`, `6.x.x`, `6.24.x`, `^6.24.1`, `*`, etc.), or `latest`. +otherwise, this field is **required** It supports npm versioning scheme, it could be an exact version (such as `10.9.8`), or a version range (such as `10`, `10.x.x`, `10.9.x`, `^10.9.8`, `*`, etc.), or `latest`. ### `dest` @@ -118,7 +118,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - uses: step-security/action-setup@v4 with: @@ -142,7 +142,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 - uses: step-security/action-setup@v4 name: Install pnpm