liuyu/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-06-06 05:51:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

build(pnpm): use packageManager as pnpm source

Browse Source 
Recreated from #85108 because the original branch could not be updated by maintainers.

Preserves current-main pnpm install hardening while switching workflow pnpm setup to packageManager, and adds exact version-scoped release-age exclusions for already-locked packages that pnpm 11.2.2 audits during install.

Co-authored-by: Altay <altay@hey.com>
This commit is contained in:
Peter Steinberger
2026-05-22 19:17:43 +01:00
committed by GitHub
parent f6840acc21
commit a0702e195d
25 changed files with 100 additions and 290 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
.github/actions/setup-node-env/action.yml vendored
View File

@@ -7,14 +7,6 @@ inputs:
description: Node.js version to install.
required: false
default: "24.x"
cache-key-suffix:
description: Suffix appended to the pnpm store cache key.
required: false
default: "node24-pnpm11"
pnpm-version:
description: pnpm version for corepack.
required: false
default: "11.0.8"
install-bun:
description: Whether to install Bun alongside Node.
required: false
@@ -40,13 +32,9 @@ runs:
node-version: ${{ inputs.node-version }}
check-latest: false
- name: Setup pnpm + cache store
id: pnpm-cache
- name: Setup pnpm
uses: ./.github/actions/setup-pnpm-store-cache
with:
node-version: ${{ inputs.node-version }}
pnpm-version: ${{ inputs.pnpm-version }}
cache-key-suffix: ${{ inputs.cache-key-suffix }}
use-actions-cache: ${{ inputs.use-actions-cache }}
- name: Setup Bun
@@ -128,11 +116,3 @@ runs:
ln -sfn "$PNPM_CONFIG_MODULES_DIR" node_modules
ln -sfn . "$PNPM_CONFIG_MODULES_DIR/node_modules"
fi
- name: Save pnpm store cache
if: inputs.install-deps == 'true' && steps.pnpm-cache.outputs.cache-enabled == 'true' && steps.pnpm-cache.outputs.cache-hit != 'true'
uses: actions/cache/save@v5
continue-on-error: true
with:
path: ${{ steps.pnpm-cache.outputs.store-path }}
key: ${{ steps.pnpm-cache.outputs.primary-key }}

181
.github/actions/setup-pnpm-store-cache/action.yml vendored
View File

@@ -1,168 +1,53 @@
name: Setup pnpm + store cache
description: Prepare pnpm via corepack and restore pnpm store cache.
name: Setup pnpm
description: Prepare pnpm from the repository packageManager and restore its store cache.
inputs:
pnpm-version:
description: pnpm version to activate via corepack.
package-manager-file:
description: package.json file that owns the packageManager pnpm pin.
required: false
default: "11.0.8"
node-version:
description: Expected Node.js version already installed by actions/setup-node.
default: "package.json"
lockfile-path:
description: pnpm lockfile used to key the store cache.
required: false
default: "24.x"
cache-key-suffix:
description: Suffix appended to the cache key.
required: false
default: "node24-pnpm11"
use-restore-keys:
description: Whether to use restore-keys fallback for actions/cache.
required: false
default: "true"
default: "pnpm-lock.yaml"
use-actions-cache:
description: Whether to restore pnpm store with actions/cache.
description: Whether pnpm/action-setup should cache the pnpm store.
required: false
default: "true"
outputs:
cache-enabled:
description: Whether actions/cache restore was enabled.
value: ${{ steps.pnpm-cache-config.outputs.enabled }}
cache-hit:
description: Whether the pnpm store cache had an exact key hit.
value: ${{ steps.pnpm-cache-restore.outputs.cache-hit }}
cache-matched-key:
description: Cache key matched by restore, if any.
value: ${{ steps.pnpm-cache-restore.outputs.cache-matched-key }}
primary-key:
description: Primary pnpm store cache key.
value: ${{ steps.pnpm-cache-config.outputs.primary-key }}
store-path:
description: Resolved pnpm store path.
value: ${{ steps.pnpm-store.outputs.path }}
pnpm-version:
description: Resolved pnpm version activated by the setup action.
value: ${{ steps.pnpm-version.outputs.pnpm-version }}
project-dir:
description: Directory containing the packageManager file used for pnpm resolution.
value: ${{ steps.setup-pnpm.outputs.project-dir }}
runs:
using: composite
steps:
- name: Setup pnpm (corepack retry)
- name: Validate pnpm setup inputs
id: setup-pnpm
shell: bash
env:
COREPACK_ENABLE_DOWNLOAD_PROMPT: "0"
PNPM_VERSION: ${{ inputs.pnpm-version }}
REQUESTED_NODE_VERSION: ${{ inputs.node-version }}
PACKAGE_MANAGER_FILE: ${{ inputs.package-manager-file }}
run: |
set -euo pipefail
if [[ ! "$PNPM_VERSION" =~ ^[0-9]+(\.[0-9]+){1,2}([.-][0-9A-Za-z.-]+)?$ ]]; then
echo "::error::Invalid pnpm-version input: '$PNPM_VERSION'"
exit 2
fi
requested_node="${REQUESTED_NODE_VERSION:-${NODE_VERSION:-}}"
requested_node="${requested_node#v}"
node_version_matches() {
local actual="$1"
local requested="$2"
if [[ -z "$requested" ]]; then
return 0
fi
case "$requested" in
*x)
[[ "${actual%%.*}" == "${requested%%.*}" ]]
;;
*.*.*)
[[ "$actual" == "$requested" ]]
;;
*.*)
[[ "$actual" == "$requested".* ]]
;;
*)
[[ "${actual%%.*}" == "$requested" ]]
;;
esac
}
active_node_version="$(node -p 'process.versions.node' 2>/dev/null || true)"
if ! node_version_matches "$active_node_version" "$requested_node"; then
node_roots=()
for root in \
"${RUNNER_TOOL_CACHE:-}" \
"${AGENT_TOOLSDIRECTORY:-}" \
"${ACTIONS_RUNNER_TOOL_CACHE:-}" \
"/opt/hostedtoolcache" \
"/home/runner/_work/_tool" \
"/Users/runner/hostedtoolcache" \
"/c/hostedtoolcache/windows"
do
if [[ -d "$root/node" ]]; then
node_roots+=("$root/node")
elif [[ "$(basename "$root")" == "node" && -d "$root" ]]; then
node_roots+=("$root")
fi
done
node_bin=""
for node_root in "${node_roots[@]}"; do
while IFS= read -r candidate; do
candidate_version="$("$candidate" -p 'process.versions.node' 2>/dev/null || true)"
if node_version_matches "$candidate_version" "$requested_node"; then
node_bin="$candidate"
break 2
fi
done < <(find "$node_root" \( -name node -o -name node.exe \) -type f 2>/dev/null | sort -r)
done
if [[ -n "$node_bin" ]]; then
echo "Using Node $("$node_bin" -p 'process.versions.node') from $node_bin"
export PATH="$(dirname "$node_bin"):$PATH"
hash -r
fi
fi
active_node_version="$(node -p 'process.versions.node' 2>/dev/null || true)"
if ! node_version_matches "$active_node_version" "$requested_node"; then
echo "::error::Expected Node '${requested_node}', but active node is '${active_node_version:-missing}' at $(command -v node || true)"
project_dir="$(dirname "$PACKAGE_MANAGER_FILE")"
if [[ ! -f "$PACKAGE_MANAGER_FILE" ]]; then
echo "::error::package manager file not found: $PACKAGE_MANAGER_FILE"
exit 1
fi
echo "project-dir=$project_dir" >> "$GITHUB_OUTPUT"
node -v
command -v node
command -v corepack
corepack enable
for attempt in 1 2 3; do
if corepack prepare "pnpm@$PNPM_VERSION" --activate; then
pnpm -v
exit 0
fi
echo "corepack prepare failed (attempt $attempt/3). Retrying..."
sleep $((attempt * 10))
done
exit 1
- name: Setup pnpm from packageManager
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093
with:
package_json_file: ${{ inputs.package-manager-file }}
run_install: false
cache: ${{ inputs.use-actions-cache }}
cache_dependency_path: ${{ inputs.lockfile-path }}
- name: Resolve pnpm store path
id: pnpm-store
shell: bash
run: echo "path=$(pnpm store path --silent)" >> "$GITHUB_OUTPUT"
- name: Resolve pnpm store cache keys
id: pnpm-cache-config
- name: Record pnpm version
id: pnpm-version
shell: bash
env:
CACHE_KEY_SUFFIX: ${{ inputs.cache-key-suffix }}
LOCKFILE_HASH: ${{ hashFiles('pnpm-lock.yaml') }}
USE_ACTIONS_CACHE: ${{ inputs.use-actions-cache }}
USE_RESTORE_KEYS: ${{ inputs.use-restore-keys }}
run: |
set -euo pipefail
echo "enabled=$USE_ACTIONS_CACHE" >> "$GITHUB_OUTPUT"
echo "primary-key=${RUNNER_OS}-pnpm-store-${CACHE_KEY_SUFFIX}-${LOCKFILE_HASH}" >> "$GITHUB_OUTPUT"
if [ "$USE_RESTORE_KEYS" = "true" ]; then
echo "restore-keys=${RUNNER_OS}-pnpm-store-${CACHE_KEY_SUFFIX}-" >> "$GITHUB_OUTPUT"
else
echo "restore-keys=" >> "$GITHUB_OUTPUT"
fi
- name: Restore pnpm store cache
id: pnpm-cache-restore
if: inputs.use-actions-cache == 'true'
uses: actions/cache/restore@v5
with:
path: ${{ steps.pnpm-store.outputs.path }}
key: ${{ steps.pnpm-cache-config.outputs.primary-key }}
restore-keys: ${{ steps.pnpm-cache-config.outputs.restore-keys }}
PROJECT_DIR: ${{ steps.setup-pnpm.outputs.project-dir }}
run: echo "pnpm-version=$(cd "$PROJECT_DIR" && pnpm -v)" >> "$GITHUB_OUTPUT"

18
.github/workflows/ci.yml vendored
View File

@@ -924,7 +924,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: "22.19.0"
cache-key-suffix: "node22-pnpm11"
install-bun: "false"
- name: Configure Node test resources
@@ -1004,7 +1003,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: "${{ matrix.node_version || '24.x' }}"
cache-key-suffix: "${{ matrix.cache_key_suffix || 'node24-pnpm11' }}"
install-bun: "false"
- name: Configure Node test resources
@@ -1515,14 +1513,8 @@ jobs:
node-version: 24.x
check-latest: false
- name: Setup pnpm + cache store
id: pnpm-cache
- name: Setup pnpm
uses: ./.github/actions/setup-pnpm-store-cache
with:
pnpm-version: "11.0.8"
cache-key-suffix: "node24-pnpm11"
use-restore-keys: "false"
use-actions-cache: "true"
- name: Runtime versions
run: |
@@ -1550,14 +1542,6 @@ jobs:
# caches can skip repeated rebuild/download work on later shards/runs.
pnpm install --frozen-lockfile --prefer-offline --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true --config.side-effects-cache=true || pnpm install --frozen-lockfile --prefer-offline --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true --config.side-effects-cache=true
- name: Save pnpm store cache
if: steps.pnpm-cache.outputs.cache-enabled == 'true' && steps.pnpm-cache.outputs.cache-hit != 'true'
uses: actions/cache/save@v5
continue-on-error: true
with:
path: ${{ steps.pnpm-cache.outputs.store-path }}
key: ${{ steps.pnpm-cache.outputs.primary-key }}
- name: Run ${{ matrix.task }} (${{ matrix.runtime }})
env:
TASK: ${{ matrix.task }}

2
.github/workflows/full-release-validation.yml vendored
View File

@@ -119,7 +119,6 @@ env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
GH_REPO: ${{ github.repository }}
NODE_VERSION: "24.15.0"
PNPM_VERSION: "11.0.8"
jobs:
resolve_target:
@@ -635,7 +634,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
install-deps: "false"

2
.github/workflows/macos-release.yml vendored
View File

@@ -25,7 +25,6 @@ concurrency:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.15.0"
PNPM_VERSION: "11.0.8"
jobs:
validate_macos_release_request:
@@ -53,7 +52,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "false"
- name: Ensure matching GitHub release exists

2
.github/workflows/mantis-discord-smoke.yml vendored
View File

@@ -25,7 +25,6 @@ concurrency:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.x"
PNPM_VERSION: "11.0.8"
OPENCLAW_BUILD_PRIVATE_QA: "1"
OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
@@ -142,7 +141,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Build private QA runtime

2
.github/workflows/mantis-discord-status-reactions.yml vendored
View File

@@ -32,7 +32,6 @@ concurrency:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.x"
PNPM_VERSION: "11.0.8"
OPENCLAW_BUILD_PRIVATE_QA: "1"
OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
@@ -255,7 +254,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Build Mantis harness

2
.github/workflows/mantis-discord-thread-attachment.yml vendored
View File

@@ -32,7 +32,6 @@ concurrency:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.x"
PNPM_VERSION: "11.0.8"
OPENCLAW_BUILD_PRIVATE_QA: "1"
OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
@@ -245,7 +244,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Build Mantis harness

2
.github/workflows/mantis-slack-desktop-smoke.yml vendored
View File

@@ -55,7 +55,6 @@ concurrency:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.x"
PNPM_VERSION: "11.0.8"
OPENCLAW_BUILD_PRIVATE_QA: "1"
OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
CRABBOX_REF: main
@@ -162,7 +161,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Build Mantis harness

3
.github/workflows/mantis-telegram-desktop-proof.yml vendored
View File

@@ -45,7 +45,6 @@ permissions:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.x"
PNPM_VERSION: "11.0.8"
OPENCLAW_BUILD_PRIVATE_QA: "1"
OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
CRABBOX_REF: main
@@ -356,7 +355,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Setup Go for Crabbox CLI
@@ -618,7 +616,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Download existing proof artifact

2
.github/workflows/mantis-telegram-live.yml vendored
View File

@@ -41,7 +41,6 @@ permissions:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.x"
PNPM_VERSION: "11.0.8"
OPENCLAW_BUILD_PRIVATE_QA: "1"
OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
CRABBOX_REF: main
@@ -320,7 +319,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Build Mantis harness

2
.github/workflows/npm-telegram-beta-e2e.yml vendored
View File

@@ -104,7 +104,6 @@ concurrency:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.15.0"
PNPM_VERSION: "11.0.8"
jobs:
run_package_telegram_e2e:
@@ -147,7 +146,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Validate inputs and secrets

29
.github/workflows/openclaw-cross-os-release-checks-reusable.yml vendored
View File

@@ -193,7 +193,6 @@ concurrency:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.15.0"
PNPM_VERSION: "11.0.8"
OPENCLAW_REPOSITORY: openclaw/openclaw
TSX_VERSION: "4.21.0"
OPENCLAW_CROSS_OS_OPENAI_MODEL: ${{ inputs.openai_model || vars.OPENCLAW_CROSS_OS_OPENAI_MODEL || 'openai/gpt-5.5' }}
@@ -352,18 +351,17 @@ jobs:
persist-credentials: false
submodules: recursive
- name: Setup pnpm
uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1
with:
version: ${{ env.PNPM_VERSION }}
run_install: false
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: ${{ env.NODE_VERSION }}
cache: pnpm
cache-dependency-path: ${{ inputs.candidate_artifact_name == '' && 'source/pnpm-lock.yaml' || 'workflow/pnpm-lock.yaml' }}
- name: Setup pnpm
uses: ./workflow/.github/actions/setup-pnpm-store-cache
with:
package-manager-file: ${{ inputs.candidate_artifact_name == '' && 'source/package.json' || 'workflow/package.json' }}
lockfile-path: ${{ inputs.candidate_artifact_name == '' && 'source/pnpm-lock.yaml' || 'workflow/pnpm-lock.yaml' }}
use-actions-cache: ${{ inputs.candidate_artifact_name == '' && 'true' || 'false' }}
- name: Ensure pnpm store cache directory exists
run: mkdir -p "$(pnpm store path --silent)"
@@ -540,17 +538,18 @@ jobs:
fetch-depth: 1
persist-credentials: false
- name: Setup pnpm
uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1
with:
version: ${{ env.PNPM_VERSION }}
run_install: false
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: ${{ env.NODE_VERSION }}
- name: Setup pnpm
uses: ./workflow/.github/actions/setup-pnpm-store-cache
with:
package-manager-file: workflow/package.json
lockfile-path: workflow/pnpm-lock.yaml
use-actions-cache: "false"
- name: Download candidate artifact
uses: actions/download-artifact@v8
with:

13
.github/workflows/openclaw-live-and-e2e-checks-reusable.yml vendored
View File

@@ -308,7 +308,6 @@ permissions:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.15.0"
PNPM_VERSION: "11.0.8"
jobs:
validate_selected_ref:
@@ -491,7 +490,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Validate live cache credentials
@@ -539,7 +537,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Build dist for repo E2E
@@ -584,7 +581,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Build dist for special E2E
@@ -784,7 +780,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Hydrate live auth/profile inputs
@@ -1021,7 +1016,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Hydrate live auth/profile inputs
@@ -1178,7 +1172,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Validate Open WebUI credentials
@@ -1338,7 +1331,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Download current-run OpenClaw Docker E2E package
@@ -1682,7 +1674,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Hydrate live auth/profile inputs
@@ -1801,7 +1792,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Normalize provider allowlist
@@ -2171,7 +2161,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Hydrate live auth/profile inputs
@@ -2389,7 +2378,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Hydrate live auth/profile inputs
@@ -2608,7 +2596,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Hydrate live auth/profile inputs

3
.github/workflows/openclaw-npm-release.yml vendored
View File

@@ -41,7 +41,6 @@ concurrency:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.15.0"
PNPM_VERSION: "11.0.8"
jobs:
# PLEASE DON'T ADD LONG-RUNNING OR FLAKY CHECKS TO THE npm RELEASE PATH.
@@ -118,7 +117,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Ensure version is not already published
@@ -495,7 +493,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "false"
- name: Ensure version is not already published

11
.github/workflows/openclaw-release-checks.yml vendored
View File

@@ -91,7 +91,6 @@ concurrency:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.15.0"
PNPM_VERSION: "11.0.8"
OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL || 'openai/gpt-5.5' }}
jobs:
@@ -487,7 +486,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
install-deps: "false"
@@ -773,7 +771,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Build private QA runtime
@@ -845,7 +842,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Download parity lane artifacts
@@ -911,7 +907,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Build private QA runtime
@@ -1027,7 +1022,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Download runtime parity artifacts
@@ -1080,7 +1074,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Build private QA runtime
@@ -1160,7 +1153,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Validate required QA credential env
@@ -1256,7 +1248,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Validate required QA credential env
@@ -1355,7 +1346,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Validate required QA credential env
@@ -1451,7 +1441,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Validate required QA credential env

2
.github/workflows/openclaw-release-publish.yml vendored
View File

@@ -71,7 +71,6 @@ concurrency:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.15.0"
PNPM_VERSION: "11.0.8"
jobs:
resolve_release_target:
@@ -361,7 +360,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
install-bun: "false"
cache-key-suffix: release-publish
- name: Dispatch publish workflows
env:

2
.github/workflows/package-acceptance.yml vendored
View File

@@ -288,7 +288,6 @@ concurrency:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.15.0"
PNPM_VERSION: "11.0.8"
PACKAGE_ARTIFACT_NAME: package-under-test
jobs:
@@ -320,7 +319,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: ${{ inputs.source == 'ref' && 'true' || 'false' }}
install-deps: "false"

4
.github/workflows/plugin-clawhub-release.yml vendored
View File

@@ -32,7 +32,6 @@ concurrency:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.15.0"
PNPM_VERSION: "11.0.8"
CLAWHUB_REGISTRY: "https://clawhub.ai"
CLAWHUB_REPOSITORY: "openclaw/clawhub"
# Pinned to a reviewed ClawHub commit so release behavior stays reproducible.
@@ -61,7 +60,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "false"
- name: Resolve checked-out ref
@@ -264,7 +262,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
install-deps: "true"
@@ -359,7 +356,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
install-deps: "true"

4
.github/workflows/plugin-npm-release.yml vendored
View File

@@ -44,7 +44,6 @@ concurrency:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.15.0"
PNPM_VERSION: "11.0.8"
jobs:
preview_plugins_npm:
@@ -68,7 +67,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "false"
- name: Resolve checked-out ref
@@ -230,7 +228,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "false"
- name: Preview publish command
@@ -264,7 +261,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "false"
- name: Ensure version is not already published

9
.github/workflows/qa-live-transports-convex.yml vendored
View File

@@ -51,7 +51,6 @@ concurrency:
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
NODE_VERSION: "24.x"
PNPM_VERSION: "11.0.8"
OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL || 'openai/gpt-5.5' }}
OPENCLAW_BUILD_PRIVATE_QA: "1"
OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1"
@@ -182,7 +181,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Build private QA runtime
@@ -252,7 +250,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Validate required QA credential env
@@ -338,7 +335,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Validate required QA credential env
@@ -424,7 +420,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Validate required QA credential env
@@ -499,7 +494,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Validate required QA credential env
@@ -594,7 +588,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Validate required QA credential env
@@ -692,7 +685,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Validate required QA credential env
@@ -787,7 +779,6 @@ jobs:
uses: ./.github/actions/setup-node-env
with:
node-version: ${{ env.NODE_VERSION }}
pnpm-version: ${{ env.PNPM_VERSION }}
install-bun: "true"
- name: Validate required QA credential env

2
package.json
View File

@@ -1874,5 +1874,5 @@
"engines": {
"node": ">=22.19.0"
},
"packageManager": "pnpm@11.1.0+sha512.0c44e842e5686b2c061a81adda8b2258bd8818e9704b2cf2c63d56b931a7b2e910092e085027003b96ca3911ab56a07f6df5abaed2be9925034cdd686a535b14"
"packageManager": "pnpm@11.2.2+sha512.36e6621fad506178936455e70247b8808ef4ec25797a9f437a93281a020484e2607f6a469a22e982987c3dbb8866e3071514ab10a4a1749e06edcd1ec118436f"
}

11
pnpm-workspace.yaml
View File

@@ -23,13 +23,24 @@ minimumReleaseAgeExclude:
- "@cloudflare/workers-types"
- "@hono/node-server"
- "@mariozechner/*"
- "@aws-sdk/client-bedrock-runtime@3.1051.0"
- "@aws-sdk/client-bedrock@3.1051.0"
- "@aws-sdk/client-cognito-identity@3.1051.0"
- "@aws-sdk/client-s3@3.1051.0"
- "@aws-sdk/core"
- "@aws-sdk/credential-providers@3.1051.0"
- "@aws-sdk/s3-request-presigner@3.1051.0"
- "@aws-sdk/token-providers@3.1051.0"
- "@copilotkit/aimock@1.27.0"
- "@earendil-works/pi-agent-core"
- "@earendil-works/pi-ai"
- "@earendil-works/pi-coding-agent"
- "@earendil-works/pi-tui"
- "@google/genai@2.5.0"
- "@larksuiteoapi/node-sdk@1.65.0"
- "@openai/codex"
- "@openai/codex-*"
- "@pierre/diffs@1.2.1"
- "@smithy/shared-ini-file-loader@4.5.1"
- "@typescript/native-preview*"
- "@types/node"

20
test/scripts/mantis-telegram-desktop-proof-workflow.test.ts
View File

@@ -48,19 +48,6 @@ type Workflow = {
permissions?: Record<string, string>;
};
type PackageJson = {
packageManager?: string;
};
function repositoryPnpmMajor(): string {
const packageJson = JSON.parse(readFileSync(PACKAGE_JSON, "utf8")) as PackageJson;
const major = packageJson.packageManager?.match(/^pnpm@(\d+)\./)?.[1];
if (!major) {
throw new Error(`Missing pnpm packageManager pin in ${PACKAGE_JSON}`);
}
return major;
}
function workflowStep(name: string): WorkflowStep {
const workflow = parse(readFileSync(WORKFLOW, "utf8")) as Workflow;
const steps = workflow.jobs?.run_telegram_desktop_proof?.steps ?? [];
@@ -89,13 +76,12 @@ function filesUnder(root: string): string[] {
}
describe("Mantis Telegram Desktop proof workflow", () => {
it("runs with the repository pnpm major", () => {
it("uses repository pnpm setup defaults", () => {
const workflow = parse(readFileSync(WORKFLOW, "utf8")) as Workflow;
const liveWorkflow = parse(readFileSync(LIVE_WORKFLOW, "utf8")) as Workflow;
const pnpmMajor = repositoryPnpmMajor();
expect(workflow.env?.PNPM_VERSION?.split(".", 1)[0]).toBe(pnpmMajor);
expect(liveWorkflow.env?.PNPM_VERSION?.split(".", 1)[0]).toBe(pnpmMajor);
expect(workflow.env?.PNPM_VERSION).toBeUndefined();
expect(liveWorkflow.env?.PNPM_VERSION).toBeUndefined();
});
it("serializes all Mantis Telegram account runs without workflow concurrency cancellation", () => {

40
test/scripts/package-acceptance-workflow.test.ts
View File

@@ -1,4 +1,4 @@
import { readFileSync } from "node:fs";
import { readdirSync, readFileSync } from "node:fs";
import { describe, expect, it } from "vitest";
import { parse } from "yaml";
@@ -6,6 +6,7 @@ const PACKAGE_ACCEPTANCE_WORKFLOW = ".github/workflows/package-acceptance.yml";
const LIVE_E2E_WORKFLOW = ".github/workflows/openclaw-live-and-e2e-checks-reusable.yml";
const NPM_TELEGRAM_WORKFLOW = ".github/workflows/npm-telegram-beta-e2e.yml";
const PACKAGE_JSON = "package.json";
const SETUP_PNPM_STORE_CACHE_ACTION = ".github/actions/setup-pnpm-store-cache/action.yml";
const RELEASE_CHECKS_WORKFLOW = ".github/workflows/openclaw-release-checks.yml";
const RELEASE_PUBLISH_WORKFLOW = ".github/workflows/openclaw-release-publish.yml";
const FULL_RELEASE_VALIDATION_WORKFLOW = ".github/workflows/full-release-validation.yml";
@@ -40,6 +41,12 @@ function readWorkflow(path: string): Workflow {
return parse(readFileSync(path, "utf8")) as Workflow;
}
function workflowPaths(): string[] {
return readdirSync(".github/workflows")
.filter((name) => name.endsWith(".yml"))
.map((name) => `.github/workflows/${name}`);
}
function workflowJob(path: string, jobName: string): WorkflowJob {
const job = readWorkflow(path).jobs?.[jobName];
if (!job) {
@@ -66,6 +73,33 @@ function expectTextToIncludeAll(text: string | undefined, snippets: string[]): v
}
describe("package acceptance workflow", () => {
it("keeps pnpm version selection sourced from packageManager", () => {
const packageJson = JSON.parse(readFileSync(PACKAGE_JSON, "utf8")) as {
packageManager?: string;
};
const setupPnpmAction = readFileSync(SETUP_PNPM_STORE_CACHE_ACTION, "utf8");
expect(packageJson.packageManager).toMatch(/^pnpm@\d+\.\d+\.\d+\+sha512\.[a-f0-9]+$/u);
expect(setupPnpmAction).toContain("uses: pnpm/action-setup@");
expect(setupPnpmAction).toContain("package_json_file: ${{ inputs.package-manager-file }}");
expect(setupPnpmAction).toContain("cache: ${{ inputs.use-actions-cache }}");
expect(setupPnpmAction).toContain("cache_dependency_path: ${{ inputs.lockfile-path }}");
expect(setupPnpmAction).not.toContain("actions/cache");
expect(setupPnpmAction).not.toContain("shasum");
expect(setupPnpmAction).not.toContain("PNPM_VERSION_INPUT");
expect(setupPnpmAction).not.toContain("version: ${{ inputs.pnpm-version }}");
const setupNodeAction = readFileSync(".github/actions/setup-node-env/action.yml", "utf8");
expect(setupNodeAction).toContain("use-actions-cache: ${{ inputs.use-actions-cache }}");
for (const workflowPath of workflowPaths()) {
const workflowText = readFileSync(workflowPath, "utf8");
expect(workflowText, workflowPath).not.toContain("PNPM_VERSION");
expect(workflowText, workflowPath).not.toContain("pnpm-version:");
expect(workflowText, workflowPath).not.toContain("pnpm/action-setup");
}
});
it("resolves candidate package sources before reusing Docker E2E lanes", () => {
const workflow = readFileSync(PACKAGE_ACCEPTANCE_WORKFLOW, "utf8");
@@ -1036,9 +1070,7 @@ describe("package artifact reuse", () => {
for (const workflowPath of releaseWorkflowPaths) {
const workflow = readWorkflow(workflowPath);
expect(workflow.env?.NODE_VERSION, workflowPath).toBe("24.15.0");
if (workflow.env?.PNPM_VERSION !== undefined) {
expect(workflow.env.PNPM_VERSION, workflowPath).toBe("11.0.8");
}
expect(workflow.env?.PNPM_VERSION, workflowPath).toBeUndefined();
}
expect(fullRelease.jobs?.release_checks?.["timeout-minutes"]).toBe(