Skip to content

chore: use pnpm setup runtime action #199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
marandaneto merged 5 commits into from
Jun 25, 2026
+13 −10
Merged

chore: use pnpm setup runtime action #199

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
497ae41
chore: use pnpm setup runtime action
marandaneto Jun 25, 2026
9e6a9eb
chore: document temporary node version duplication
marandaneto Jun 25, 2026
e3c564f
fix: pin pnpm version for runtime setup
marandaneto Jun 25, 2026
d46a313
fix: avoid package manager mismatch in setup action
marandaneto Jun 25, 2026
0fe3069
fix: use pnpm 11 package manager
marandaneto Jun 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,16 +94,16 @@ jobs:
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"

- name: Set up pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
- name: Set up pnpm and Node.js
uses: pnpm/setup@f7d0e5f4b1b3089d2799ef9722859e7ba314c4c8 # v1

@greptile-apps greptile-apps Bot Jun 25, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 security Unverified action origin — pnpm/setup vs pnpm/action-setup

The official pnpm action is pnpm/action-setup (documented at pnpm.io and on the GitHub Marketplace). pnpm/setup does not appear in pnpm's official documentation or Marketplace listing. Can you confirm this action lives at github.com/pnpm/setup under the pnpm org and is the intended replacement? This job has contents: write and access to the GitHub App token for pushing to main, so verifying the SHA resolves to a legitimate pnpm-owned repository is important before merging.

with:
version: 10.33.0

- name: Set up Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24
cache: pnpm
# TODO: pnpm/setup does not read .nvmrc yet. Keep this in sync with .nvmrc
# until https://github.com/jasongin/nvs/pull/315 lands.
# pnpm/setup installs runtimes via pnpm runtime, which requires pnpm >=11.1.0.
version: 11.7.0
runtime: node@24
cache: true
install: false

- name: Install changesets dependencies
run: pnpm install --frozen-lockfile
Expand Down
3 changes: 3 additions & 0 deletions .npmrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Minimum age (in days) before a package version can be installed
# 7 days
min-release-age=7
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"private": true,
"description": "Release metadata and changesets for the PostHog Ruby SDK",
"license": "MIT",
"packageManager": "pnpm@10.33.0",
"packageManager": "pnpm@11.7.0",
"scripts": {
"changeset": "changeset"
},
Expand Down
Loading