chore: Cherry-picked changes from upstream

README.md

@@ -12,7 +12,7 @@ Version of pnpm to install.
 
 **Optional** when there is a [`packageManager` field in the `package.json`](https://nodejs.org/api/corepack.html).
 
-otherwise, this field is **required** It supports npm versioning scheme, it could be an exact version (such as `6.24.1`), or a version range (such as `6`, `6.x.x`, `6.24.x`, `^6.24.1`, `*`, etc.), or `latest`.
+otherwise, this field is **required** It supports npm versioning scheme, it could be an exact version (such as `10.9.8`), or a version range (such as `10`, `10.x.x`, `10.9.x`, `^10.9.8`, `*`, etc.), or `latest`.
 
 ### `dest`
 
@@ -118,7 +118,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - uses: step-security/action-setup@v4
         with:
@@ -142,7 +142,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - uses: step-security/action-setup@v4
         name: Install pnpm

src/install-pnpm/run.ts

@@ -1,71 +1,101 @@
 import { addPath, exportVariable } from '@actions/core'
 import { spawn } from 'child_process'
-import { rm, writeFile, mkdir, copyFile } from 'fs/promises'
-import { readFileSync } from 'fs'
+import { rm, writeFile, mkdir, symlink } from 'fs/promises'
+import { readFileSync, existsSync } from 'fs'
 import path from 'path'
-import { execPath } from 'process'
 import util from 'util'
 import { Inputs } from '../inputs'
 import { parse as parseYaml } from 'yaml'
+import pnpmLock from './bootstrap/pnpm-lock.json'
+import exeLock from './bootstrap/exe-lock.json'
+
+const BOOTSTRAP_PNPM_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { pnpm: pnpmLock.packages['node_modules/pnpm'].version } })
+const BOOTSTRAP_EXE_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { '@pnpm/exe': exeLock.packages['node_modules/@pnpm/exe'].version } })
 
 export async function runSelfInstaller(inputs: Inputs): Promise<number> {
-  const { version, dest, packageJsonFile, standalone } = inputs
-  const { GITHUB_WORKSPACE } = process.env
+  const { version, dest, packageJsonFile } = inputs
 
-  // prepare self install
+  // pnpm v11 requires Node >= 22.13; use standalone (exe) bootstrap which
+  // bundles its own Node.js when the system Node is too old
+  const systemNode = await getSystemNodeVersion()
+  const standalone = inputs.standalone || systemNode.major < 22 || (systemNode.major === 22 && systemNode.minor < 13)
+
+  // Install bootstrap pnpm via npm (integrity verified by committed lockfile)
   await rm(dest, { recursive: true, force: true })
-  // create dest directory after removal
   await mkdir(dest, { recursive: true })
-  const pkgJson = path.join(dest, 'package.json')
-  // we have ensured the dest directory exists, we can write the file directly
-  await writeFile(pkgJson, JSON.stringify({ private: true }))
 
-  // copy .npmrc if it exists to install from custom registry
-  if (GITHUB_WORKSPACE) {
-    try {
-      await copyFile(path.join(GITHUB_WORKSPACE, '.npmrc'), path.join(dest, '.npmrc'))
-    } catch (error) {
-      // Swallow error if .npmrc doesn't exist
-      if (!util.types.isNativeError(error) || !('code' in error) || error.code !== 'ENOENT') throw error
+  const lockfile = standalone ? exeLock : pnpmLock
+  const packageJson = standalone ? BOOTSTRAP_EXE_PACKAGE_JSON : BOOTSTRAP_PNPM_PACKAGE_JSON
+  await writeFile(path.join(dest, 'package.json'), packageJson)
+  await writeFile(path.join(dest, 'package-lock.json'), JSON.stringify(lockfile))
+
+  const npmExitCode = await runCommand('npm', ['ci'], { cwd: dest })
+  if (npmExitCode !== 0) {
+    return npmExitCode
+  }
+
+  // On Windows with standalone mode, npm's .bin shims can't properly
+  // execute the extensionless @pnpm/exe native binaries. Add the
+  // @pnpm/exe directory directly to PATH so pnpm.exe is found natively.
+  const pnpmHome = standalone && process.platform === 'win32'
+    ? path.join(dest, 'node_modules', '@pnpm', 'exe')
+    : path.join(dest, 'node_modules', '.bin')
+  // pnpm expects PNPM_HOME/bin in PATH for global binaries (e.g. node
+  // installed via `pnpm runtime`). Add it first so the next addPath
+  // (pnpmHome itself, which contains pnpm.exe) has higher precedence.
+  addPath(path.join(pnpmHome, 'bin'))
+  addPath(pnpmHome)
+  exportVariable('PNPM_HOME', pnpmHome)
+
+  // Ensure pnpm bin link exists — npm ci sometimes doesn't create it
+  if (process.platform !== 'win32') {
+    const pnpmBinLink = path.join(dest, 'node_modules', '.bin', 'pnpm')
+    if (!existsSync(pnpmBinLink)) {
+      await mkdir(path.join(dest, 'node_modules', '.bin'), { recursive: true })
+      const target = standalone
+        ? path.join('..', '@pnpm', 'exe', 'pnpm')
+        : path.join('..', 'pnpm', 'bin', 'pnpm.mjs')
+      await symlink(target, pnpmBinLink)
     }
   }
 
-  // prepare target pnpm
-  const target = await readTarget({ version, packageJsonFile, standalone })
-  const cp = spawn(execPath, [path.join(__dirname, 'pnpm.cjs'), 'install', target, '--no-lockfile'], {
-    cwd: dest,
-    stdio: ['pipe', 'inherit', 'inherit'],
-  })
+  const bootstrapPnpm = standalone
+    ? path.join(dest, 'node_modules', '@pnpm', 'exe', process.platform === 'win32' ? 'pnpm.exe' : 'pnpm')
+    : path.join(dest, 'node_modules', 'pnpm', 'bin', 'pnpm.mjs')
 
-  const exitCode = await new Promise<number>((resolve, reject) => {
-    cp.on('error', reject)
-    cp.on('close', resolve)
-  })
-  if (exitCode === 0) {
-    const pnpmHome = path.join(dest, 'node_modules/.bin')
-    addPath(pnpmHome)
-    exportVariable('PNPM_HOME', pnpmHome)
+  // Determine the target version
+  const targetVersion = readTargetVersion({ version, packageJsonFile })
+
+  if (targetVersion) {
+    const cmd = standalone ? bootstrapPnpm : process.execPath
+    const args = standalone ? ['self-update', targetVersion] : [bootstrapPnpm, 'self-update', targetVersion]
+    const exitCode = await runCommand(cmd, args, { cwd: dest })
+    if (exitCode !== 0) {
+      return exitCode
+    }
   }
-  return exitCode
+
+  return 0
 }
 
-async function readTarget(opts: {
+function readTargetVersion(opts: {
   readonly version?: string | undefined
   readonly packageJsonFile: string
-  readonly standalone: boolean
-}) {
-  const { version, packageJsonFile, standalone } = opts
+}): string | undefined {
+  const { version, packageJsonFile } = opts
   const { GITHUB_WORKSPACE } = process.env
 
-  let packageManager
+  let packageManager: string | undefined
+  let devEngines: { packageManager?: { name?: string; version?: string } } | undefined
 
   if (GITHUB_WORKSPACE) {
     try {
       const content = readFileSync(path.join(GITHUB_WORKSPACE, packageJsonFile), 'utf8');
-      ({ packageManager } = packageJsonFile.endsWith(".yaml")
+      const manifest = packageJsonFile.endsWith(".yaml")
         ? parseYaml(content, { merge: true })
         : JSON.parse(content)
-      )
+      packageManager = manifest.packageManager
+      devEngines = manifest.devEngines
     } catch (error: unknown) {
       // Swallow error if package.json doesn't exist in root
       if (!util.types.isNativeError(error) || !('code' in error) || error.code !== 'ENOENT') throw error
@@ -84,7 +114,16 @@ async function readTarget(opts: {
 Remove one of these versions to avoid version mismatch errors like ERR_PNPM_BAD_PM_VERSION`)
     }
 
-    return `${ standalone ? '@pnpm/exe' : 'pnpm' }@${version}`
+    return version
+  }
+
+  // pnpm will automatically download and switch to the right version
+  if (typeof packageManager === 'string' && packageManager.startsWith('pnpm@')) {
+    return undefined
+  }
+
+  if (devEngines?.packageManager?.name === 'pnpm' && devEngines.packageManager.version) {
+    return undefined
   }
 
   if (!GITHUB_WORKSPACE) {
@@ -94,22 +133,36 @@ please run the actions/checkout before pnpm/action-setup.
 Otherwise, please specify the pnpm version in the action configuration.`)
   }
 
-  if (typeof packageManager !== 'string') {
-    throw new Error(`No pnpm version is specified.
+  throw new Error(`No pnpm version is specified.
 Please specify it by one of the following ways:
   - in the GitHub Action config with the key "version"
-  - in the package.json with the key "packageManager"`)
-  }
-
-  if (!packageManager.startsWith('pnpm@')) {
-    throw new Error('Invalid packageManager field in package.json')
-  }
+  - in the package.json with the key "packageManager"
+  - in the package.json with the key "devEngines.packageManager"`)
+}
 
-  if (standalone) {
-    return packageManager.replace('pnpm@', '@pnpm/exe@')
-  }
+function getSystemNodeVersion(): Promise<{ major: number; minor: number }> {
+  return new Promise((resolve) => {
+    const cp = spawn('node', ['--version'], { stdio: ['pipe', 'pipe', 'pipe'], shell: process.platform === 'win32' })
+    let output = ''
+    cp.stdout.on('data', (data: Buffer) => { output += data.toString() })
+    cp.on('close', () => {
+      const match = output.match(/^v(\d+)\.(\d+)/)
+      resolve(match ? { major: parseInt(match[1], 10), minor: parseInt(match[2], 10) } : { major: 0, minor: 0 })
+    })
+    cp.on('error', () => resolve({ major: 0, minor: 0 }))
+  })
+}
 
-  return packageManager
+function runCommand(cmd: string, args: string[], opts: { cwd: string }): Promise<number> {
+  return new Promise<number>((resolve, reject) => {
+    const cp = spawn(cmd, args, {
+      cwd: opts.cwd,
+      stdio: ['pipe', 'inherit', 'inherit'],
+      shell: process.platform === 'win32',
+    })
+    cp.on('error', reject)
+    cp.on('close', resolve)
+  })
 }
 
 export default runSelfInstaller

src/outputs/index.ts

@@ -1,10 +1,11 @@
-import { setOutput, addPath } from '@actions/core'
+import { setOutput } from '@actions/core'
 import { Inputs } from '../inputs'
 import { getBinDest } from '../utils'
 
 export function setOutputs(inputs: Inputs) {
   const binDest = getBinDest(inputs)
-  addPath(binDest)
+  // NOTE: addPath is already called in installPnpm — do not call it again
+  // here, as a second addPath would shadow the correct entry on Windows.
   setOutput('dest', inputs.dest)
   setOutput('bin_dest', binDest)
 }

src/utils/index.ts

@@ -6,5 +6,5 @@ export const getBinDest = (inputs: Inputs): string => path.join(inputs.dest, 'no
 
 export const patchPnpmEnv = (inputs: Inputs): NodeJS.ProcessEnv => ({
   ...process.env,
-  PATH: getBinDest(inputs) + path.delimiter + process.env.PATH,
+  PATH: path.join(getBinDest(inputs), 'bin') + path.delimiter + getBinDest(inputs) + path.delimiter + process.env.PATH,
 })