Skip to content

[WIP] BB-3615 - Upgrade to pnpm 11 and add secutiry settings#1

Open
AlexArchiPro wants to merge 27 commits into
v4from
BB-3615-upgrade-to-pnpm11
Open

[WIP] BB-3615 - Upgrade to pnpm 11 and add secutiry settings#1
AlexArchiPro wants to merge 27 commits into
v4from
BB-3615-upgrade-to-pnpm11

Conversation

@AlexArchiPro
Copy link
Copy Markdown

@AlexArchiPro AlexArchiPro commented May 18, 2026

Summary

Fast-forward this fork's v4 branch to upstream pnpm/action-setup@v4 HEAD (commit b906aff). Before this PR, the fork's v4 is at commit fe02b340 commits ahead, 26 commits behind upstream. Zero archi-specific patches to preserve, so the merge is conflict-free.

This is the fork-maintenance step in the BB-3615 fleet rollout (see docs/PLAN.md § "Why we keep archiprocode/pnpm-action-setup@v4"). 7 archiprocode repos and 25 CI callsites consume @v4; this PR brings them onto the maintained upstream code.

Why this is safe

  • No archi-specific changes are lost. Confirmed via gh api repos/pnpm/action-setup/compare/archiprocode:pnpm-action-setup:v4...pnpm:action-setup:v4ahead_by: 0, behind_by: 26.
  • Consumers stay version-pinned to @v4. Until the v4 tag (not just branch) is moved to the new HEAD, no consumer is affected. Tag move is a deliberate follow-up step after merge.
  • The Node 24 runtime change upstream made and then reverted (feat!: run the action on Node.js 24 pnpm/action-setup#205b906aff) is includedaction.yml#runs.using stays at node20, matching upstream's current intent.

What's included (upstream commits)

Category Commits
Features feat: store caching (#188) — pnpm store cache speedup; feat: support installation from custom NPM registry (#179); feat: support package.yaml (#156)
Fixes fix: not allow install multiple package manager (#161); fix: add missing outputs metadata to action.yml (#127); fix: correct typo in error message (#125)
Build/dist feat: update dist; test: update pnpm to v9
Docs / CI / refactor 18 commits (READMEs, examples, action-pinning in CI, star-import refactor, macos exclusion)
Reverted Revert "feat!: run the action on Node.js 24 (#205)" — action runtime stays on node20

After merge — required tag move

The v4 tag must be moved to the new HEAD so every consumer pinned @v4 picks up the change:

```bash
git fetch origin
git tag -f v4 origin/v4
git push origin -f v4
```

Without the tag move, the merge does not propagate to consumer CI.

[WIP] lifecycle

Per BB-3615 convention, this PR opens [WIP] and stays [WIP] until a human reviewer:

  1. Inspects the upstream commit list and confirms nothing surprising is being adopted.
  2. Plans the v4 tag move (or chooses to defer it).
  3. Drops the [WIP] prefix.

Test plan

  • Reviewer scrolls the 26 upstream commits in the Files Changed tab and confirms no unexpected runtime/behaviour changes (action.yml#runs.using remains node20).
  • Reviewer plans the v4 tag move per the snippet above.
  • After tag move, spot-check one consumer repo's next CI run — pick the largest blast radius (archipro-mobile's pull-request.yml) and confirm pnpm install still succeeds.

benmccann and others added 27 commits June 12, 2024 16:38
@benmccann
docs: use cached pnpm installation (pnpm#128)
00884bc
@benmccann
fix: correct typo in error message (pnpm#125)
562dbbf
@rhysd
fix: add missing outputs metadata to action.yml (pnpm#127)
5d79380
@hyesungoh
docs: change order of setup node and pnpm (pnpm#129)
23657c8
@karlhorky @KSXGitHub
Add readme example for omitting version (pnpm#134)
0eb0e97 
* Add readme example for omitting `version`

* docs: more detailed explanations

---------

Co-authored-by: Khải <hvksmr1996@gmail.com>
@zkochan
docs: add warning about v2
0d0b432
@its-monotype
docs: remove redundant manual cache due to setup-node cache (pnpm#131)
18ac635
@karlhorky
Update examples to use pnpm v9 (pnpm#142)
ac5bf11
@azat-io
docs: update pnpm version in readme examples (pnpm#154)
e303250
@danielbayley
feat: support package.yaml (pnpm#156)
0cb0538
@danielbayley
docs: support package.yaml (pnpm#157)
6e3017a
@zkochan
test: update pnpm to v9
fff7088
@zkochan
feat: update dist
a7487c7
@BlackHole1
fix: not allow install multiple package manager (pnpm#161)
d648c2d 
When a project has both npm and pnpm, using pnpm/action-setup will result in an error: `Multiple versions of pnpm specified`.

The previous implementation was only meant to avoid the "ERR_PNPM_BAD_PM_VERSION" error, but it did not take into account the situation of multiple different package managers.

Signed-off-by: Kevin Cui <bh@bugs.cc>
@ts-web
Fix multiline run_install example in README.md (pnpm#167)
77504a5
@ts-web
Remove --frozen-lockfile from examples (pnpm#171)
f2b2b23
@Eynorey
feat: support installation from custom NPM registry (pnpm#179)
41ff726 
copy .npmrc from GitHub workspace if it exists so that PNPM respects custom
registry configurations when self-installing
@dreyks
Update README.md (pnpm#175)
72f0451 
fix the string run_install example
@silverwind
Remove unused @types/node-fetch dependency (pnpm#186)
3a0024f
@chris-martin @zkochan
Clarify that package_json_file is relative to GITHUB_WORKSPACE (pnpm#184
ee7b871 
)

* Clarify that package_json_file is relative to GITHUB_WORKSPACE

Clarify the description for package_json_file parameter to specify that the path must be relative to the repository root.

* Apply suggestion from @zkochan

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
@jrmajor @KSXGitHub
feat: store caching (pnpm#188)
e94b270 
* add pnpm store caching

* style: format

* no semicolons
* no star imports
* import order

* style: no star imports

---------

Co-authored-by: khai96_ <hvksmr1996@gmail.com>
@KSXGitHub
refactor: remove star imports (pnpm#196)
61bc82c
@KSXGitHub
fix(ci): exclude macos (pnpm#197)
b9e1dbc
@Boosted-Bonobo
ci: pin github actions (pnpm#199)
1e1c8ea
@zkochan
feat!: run the action on Node.js 24 (pnpm#205)
9b5745c
@zkochan
Revert "feat!: run the action on Node.js 24 (pnpm#205)"
b906aff 
This reverts commit 9b5745c.
@AlexArchiPro
BB-3615 Upgrade to pnpm 11 and add security settings
2cb79ab 
Fast-forward archiprocode/pnpm-action-setup v4 to upstream pnpm/action-setup
v4 HEAD (commit b906aff). Fork is currently 0 commits ahead, 26 behind
upstream v4 — zero archi-specific patches to preserve, conflict-free merge.

This brings every consumer pinned `archiprocode/pnpm-action-setup@v4`
(7 archiprocode repos, 25 CI callsites) onto the maintained upstream code.
After this lands, the `v4` tag in the fork must be moved to the new HEAD
so consumers pick up the change.

Notable upstream patches included:
- feat: store caching (pnpm#188) — pnpm store cache speedup
- fix: not allow install multiple package manager (pnpm#161) — safety fix
- feat: support installation from custom NPM registry (pnpm#179)
- Plus 23 docs/refactor/CI fixes
- Note: upstream's pnpm#205 (Node 24 action runtime) was reverted by b906aff,
  so action.yml#runs.using stays at node20 (consistent with upstream)
cursor[bot]
cursor Bot reviewed May 18, 2026
View reviewed changes
Comment thread src/install-pnpm/run.ts
// copy .npmrc if it exists to install from custom registry
if (GITHUB_WORKSPACE) {
try {
await copyFile(path.join(GITHUB_WORKSPACE, '.npmrc'), path.join(dest, '.npmrc'))
Copy link
Copy Markdown

@cursor cursor Bot May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Agentic Security Review
Severity: HIGH

This change copies repository-controlled .npmrc from GITHUB_WORKSPACE into the bootstrap install directory used to install pnpm. In workflows that run on untrusted PR content, this allows attacker-controlled registry configuration to influence the action's own dependency bootstrap.

Impact: an attacker can redirect package resolution to a malicious registry during bootstrap and potentially execute attacker-controlled install-time code under CI runner privileges, including possible token/secret exposure in privileged workflow contexts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.