From a0702e195dd244076c3b35ba8ec8e3a0829702f4 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 22 May 2026 19:17:43 +0100 Subject: [PATCH] build(pnpm): use packageManager as pnpm source Recreated from #85108 because the original branch could not be updated by maintainers. Preserves current-main pnpm install hardening while switching workflow pnpm setup to packageManager, and adds exact version-scoped release-age exclusions for already-locked packages that pnpm 11.2.2 audits during install. Co-authored-by: Altay --- .github/actions/setup-node-env/action.yml | 22 +-- .../actions/setup-pnpm-store-cache/action.yml | 181 ++++-------------- .github/workflows/ci.yml | 18 +- .github/workflows/full-release-validation.yml | 2 - .github/workflows/macos-release.yml | 2 - .github/workflows/mantis-discord-smoke.yml | 2 - .../mantis-discord-status-reactions.yml | 2 - .../mantis-discord-thread-attachment.yml | 2 - .../workflows/mantis-slack-desktop-smoke.yml | 2 - .../mantis-telegram-desktop-proof.yml | 3 - .github/workflows/mantis-telegram-live.yml | 2 - .github/workflows/npm-telegram-beta-e2e.yml | 2 - ...nclaw-cross-os-release-checks-reusable.yml | 29 ++- .../openclaw-live-and-e2e-checks-reusable.yml | 13 -- .github/workflows/openclaw-npm-release.yml | 3 - .github/workflows/openclaw-release-checks.yml | 11 -- .../workflows/openclaw-release-publish.yml | 2 - .github/workflows/package-acceptance.yml | 2 - .github/workflows/plugin-clawhub-release.yml | 4 - .github/workflows/plugin-npm-release.yml | 4 - .../workflows/qa-live-transports-convex.yml | 9 - package.json | 2 +- pnpm-workspace.yaml | 11 ++ ...is-telegram-desktop-proof-workflow.test.ts | 20 +- .../package-acceptance-workflow.test.ts | 40 +++- 25 files changed, 100 insertions(+), 290 deletions(-) diff --git a/.github/actions/setup-node-env/action.yml b/.github/actions/setup-node-env/action.yml index 97e3a2ec3959..b521a773d48a 100644 --- a/.github/actions/setup-node-env/action.yml +++ b/.github/actions/setup-node-env/action.yml @@ -7,14 +7,6 @@ inputs: description: Node.js version to install. required: false default: "24.x" - cache-key-suffix: - description: Suffix appended to the pnpm store cache key. - required: false - default: "node24-pnpm11" - pnpm-version: - description: pnpm version for corepack. - required: false - default: "11.0.8" install-bun: description: Whether to install Bun alongside Node. required: false @@ -40,13 +32,9 @@ runs: node-version: ${{ inputs.node-version }} check-latest: false - - name: Setup pnpm + cache store - id: pnpm-cache + - name: Setup pnpm uses: ./.github/actions/setup-pnpm-store-cache with: - node-version: ${{ inputs.node-version }} - pnpm-version: ${{ inputs.pnpm-version }} - cache-key-suffix: ${{ inputs.cache-key-suffix }} use-actions-cache: ${{ inputs.use-actions-cache }} - name: Setup Bun @@ -128,11 +116,3 @@ runs: ln -sfn "$PNPM_CONFIG_MODULES_DIR" node_modules ln -sfn . "$PNPM_CONFIG_MODULES_DIR/node_modules" fi - - - name: Save pnpm store cache - if: inputs.install-deps == 'true' && steps.pnpm-cache.outputs.cache-enabled == 'true' && steps.pnpm-cache.outputs.cache-hit != 'true' - uses: actions/cache/save@v5 - continue-on-error: true - with: - path: ${{ steps.pnpm-cache.outputs.store-path }} - key: ${{ steps.pnpm-cache.outputs.primary-key }} diff --git a/.github/actions/setup-pnpm-store-cache/action.yml b/.github/actions/setup-pnpm-store-cache/action.yml index d0abf202caac..7aaa11cf48f6 100644 --- a/.github/actions/setup-pnpm-store-cache/action.yml +++ b/.github/actions/setup-pnpm-store-cache/action.yml @@ -1,168 +1,53 @@ -name: Setup pnpm + store cache -description: Prepare pnpm via corepack and restore pnpm store cache. +name: Setup pnpm +description: Prepare pnpm from the repository packageManager and restore its store cache. inputs: - pnpm-version: - description: pnpm version to activate via corepack. + package-manager-file: + description: package.json file that owns the packageManager pnpm pin. required: false - default: "11.0.8" - node-version: - description: Expected Node.js version already installed by actions/setup-node. + default: "package.json" + lockfile-path: + description: pnpm lockfile used to key the store cache. required: false - default: "24.x" - cache-key-suffix: - description: Suffix appended to the cache key. - required: false - default: "node24-pnpm11" - use-restore-keys: - description: Whether to use restore-keys fallback for actions/cache. - required: false - default: "true" + default: "pnpm-lock.yaml" use-actions-cache: - description: Whether to restore pnpm store with actions/cache. + description: Whether pnpm/action-setup should cache the pnpm store. required: false default: "true" outputs: - cache-enabled: - description: Whether actions/cache restore was enabled. - value: ${{ steps.pnpm-cache-config.outputs.enabled }} - cache-hit: - description: Whether the pnpm store cache had an exact key hit. - value: ${{ steps.pnpm-cache-restore.outputs.cache-hit }} - cache-matched-key: - description: Cache key matched by restore, if any. - value: ${{ steps.pnpm-cache-restore.outputs.cache-matched-key }} - primary-key: - description: Primary pnpm store cache key. - value: ${{ steps.pnpm-cache-config.outputs.primary-key }} - store-path: - description: Resolved pnpm store path. - value: ${{ steps.pnpm-store.outputs.path }} + pnpm-version: + description: Resolved pnpm version activated by the setup action. + value: ${{ steps.pnpm-version.outputs.pnpm-version }} + project-dir: + description: Directory containing the packageManager file used for pnpm resolution. + value: ${{ steps.setup-pnpm.outputs.project-dir }} runs: using: composite steps: - - name: Setup pnpm (corepack retry) + - name: Validate pnpm setup inputs + id: setup-pnpm shell: bash env: - COREPACK_ENABLE_DOWNLOAD_PROMPT: "0" - PNPM_VERSION: ${{ inputs.pnpm-version }} - REQUESTED_NODE_VERSION: ${{ inputs.node-version }} + PACKAGE_MANAGER_FILE: ${{ inputs.package-manager-file }} run: | set -euo pipefail - if [[ ! "$PNPM_VERSION" =~ ^[0-9]+(\.[0-9]+){1,2}([.-][0-9A-Za-z.-]+)?$ ]]; then - echo "::error::Invalid pnpm-version input: '$PNPM_VERSION'" - exit 2 - fi - - requested_node="${REQUESTED_NODE_VERSION:-${NODE_VERSION:-}}" - requested_node="${requested_node#v}" - - node_version_matches() { - local actual="$1" - local requested="$2" - if [[ -z "$requested" ]]; then - return 0 - fi - case "$requested" in - *x) - [[ "${actual%%.*}" == "${requested%%.*}" ]] - ;; - *.*.*) - [[ "$actual" == "$requested" ]] - ;; - *.*) - [[ "$actual" == "$requested".* ]] - ;; - *) - [[ "${actual%%.*}" == "$requested" ]] - ;; - esac - } - - active_node_version="$(node -p 'process.versions.node' 2>/dev/null || true)" - if ! node_version_matches "$active_node_version" "$requested_node"; then - node_roots=() - for root in \ - "${RUNNER_TOOL_CACHE:-}" \ - "${AGENT_TOOLSDIRECTORY:-}" \ - "${ACTIONS_RUNNER_TOOL_CACHE:-}" \ - "/opt/hostedtoolcache" \ - "/home/runner/_work/_tool" \ - "/Users/runner/hostedtoolcache" \ - "/c/hostedtoolcache/windows" - do - if [[ -d "$root/node" ]]; then - node_roots+=("$root/node") - elif [[ "$(basename "$root")" == "node" && -d "$root" ]]; then - node_roots+=("$root") - fi - done - - node_bin="" - for node_root in "${node_roots[@]}"; do - while IFS= read -r candidate; do - candidate_version="$("$candidate" -p 'process.versions.node' 2>/dev/null || true)" - if node_version_matches "$candidate_version" "$requested_node"; then - node_bin="$candidate" - break 2 - fi - done < <(find "$node_root" \( -name node -o -name node.exe \) -type f 2>/dev/null | sort -r) - done - - if [[ -n "$node_bin" ]]; then - echo "Using Node $("$node_bin" -p 'process.versions.node') from $node_bin" - export PATH="$(dirname "$node_bin"):$PATH" - hash -r - fi - fi - - active_node_version="$(node -p 'process.versions.node' 2>/dev/null || true)" - if ! node_version_matches "$active_node_version" "$requested_node"; then - echo "::error::Expected Node '${requested_node}', but active node is '${active_node_version:-missing}' at $(command -v node || true)" + project_dir="$(dirname "$PACKAGE_MANAGER_FILE")" + if [[ ! -f "$PACKAGE_MANAGER_FILE" ]]; then + echo "::error::package manager file not found: $PACKAGE_MANAGER_FILE" exit 1 fi + echo "project-dir=$project_dir" >> "$GITHUB_OUTPUT" - node -v - command -v node - command -v corepack - corepack enable - for attempt in 1 2 3; do - if corepack prepare "pnpm@$PNPM_VERSION" --activate; then - pnpm -v - exit 0 - fi - echo "corepack prepare failed (attempt $attempt/3). Retrying..." - sleep $((attempt * 10)) - done - exit 1 + - name: Setup pnpm from packageManager + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 + with: + package_json_file: ${{ inputs.package-manager-file }} + run_install: false + cache: ${{ inputs.use-actions-cache }} + cache_dependency_path: ${{ inputs.lockfile-path }} - - name: Resolve pnpm store path - id: pnpm-store - shell: bash - run: echo "path=$(pnpm store path --silent)" >> "$GITHUB_OUTPUT" - - - name: Resolve pnpm store cache keys - id: pnpm-cache-config + - name: Record pnpm version + id: pnpm-version shell: bash env: - CACHE_KEY_SUFFIX: ${{ inputs.cache-key-suffix }} - LOCKFILE_HASH: ${{ hashFiles('pnpm-lock.yaml') }} - USE_ACTIONS_CACHE: ${{ inputs.use-actions-cache }} - USE_RESTORE_KEYS: ${{ inputs.use-restore-keys }} - run: | - set -euo pipefail - echo "enabled=$USE_ACTIONS_CACHE" >> "$GITHUB_OUTPUT" - echo "primary-key=${RUNNER_OS}-pnpm-store-${CACHE_KEY_SUFFIX}-${LOCKFILE_HASH}" >> "$GITHUB_OUTPUT" - if [ "$USE_RESTORE_KEYS" = "true" ]; then - echo "restore-keys=${RUNNER_OS}-pnpm-store-${CACHE_KEY_SUFFIX}-" >> "$GITHUB_OUTPUT" - else - echo "restore-keys=" >> "$GITHUB_OUTPUT" - fi - - - name: Restore pnpm store cache - id: pnpm-cache-restore - if: inputs.use-actions-cache == 'true' - uses: actions/cache/restore@v5 - with: - path: ${{ steps.pnpm-store.outputs.path }} - key: ${{ steps.pnpm-cache-config.outputs.primary-key }} - restore-keys: ${{ steps.pnpm-cache-config.outputs.restore-keys }} + PROJECT_DIR: ${{ steps.setup-pnpm.outputs.project-dir }} + run: echo "pnpm-version=$(cd "$PROJECT_DIR" && pnpm -v)" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 503a9787a352..85247ae05ed5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -924,7 +924,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: "22.19.0" - cache-key-suffix: "node22-pnpm11" install-bun: "false" - name: Configure Node test resources @@ -1004,7 +1003,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: "${{ matrix.node_version || '24.x' }}" - cache-key-suffix: "${{ matrix.cache_key_suffix || 'node24-pnpm11' }}" install-bun: "false" - name: Configure Node test resources @@ -1515,14 +1513,8 @@ jobs: node-version: 24.x check-latest: false - - name: Setup pnpm + cache store - id: pnpm-cache + - name: Setup pnpm uses: ./.github/actions/setup-pnpm-store-cache - with: - pnpm-version: "11.0.8" - cache-key-suffix: "node24-pnpm11" - use-restore-keys: "false" - use-actions-cache: "true" - name: Runtime versions run: | @@ -1550,14 +1542,6 @@ jobs: # caches can skip repeated rebuild/download work on later shards/runs. pnpm install --frozen-lockfile --prefer-offline --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true --config.side-effects-cache=true || pnpm install --frozen-lockfile --prefer-offline --ignore-scripts=false --config.engine-strict=false --config.enable-pre-post-scripts=true --config.side-effects-cache=true - - name: Save pnpm store cache - if: steps.pnpm-cache.outputs.cache-enabled == 'true' && steps.pnpm-cache.outputs.cache-hit != 'true' - uses: actions/cache/save@v5 - continue-on-error: true - with: - path: ${{ steps.pnpm-cache.outputs.store-path }} - key: ${{ steps.pnpm-cache.outputs.primary-key }} - - name: Run ${{ matrix.task }} (${{ matrix.runtime }}) env: TASK: ${{ matrix.task }} diff --git a/.github/workflows/full-release-validation.yml b/.github/workflows/full-release-validation.yml index d4bad6b9337b..d91dd8e8f400 100644 --- a/.github/workflows/full-release-validation.yml +++ b/.github/workflows/full-release-validation.yml @@ -119,7 +119,6 @@ env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" GH_REPO: ${{ github.repository }} NODE_VERSION: "24.15.0" - PNPM_VERSION: "11.0.8" jobs: resolve_target: @@ -635,7 +634,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" install-deps: "false" diff --git a/.github/workflows/macos-release.yml b/.github/workflows/macos-release.yml index a5bdd1eb438e..0fb794cf60eb 100644 --- a/.github/workflows/macos-release.yml +++ b/.github/workflows/macos-release.yml @@ -25,7 +25,6 @@ concurrency: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.15.0" - PNPM_VERSION: "11.0.8" jobs: validate_macos_release_request: @@ -53,7 +52,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "false" - name: Ensure matching GitHub release exists diff --git a/.github/workflows/mantis-discord-smoke.yml b/.github/workflows/mantis-discord-smoke.yml index ea30fad2dec4..091c814ef73f 100644 --- a/.github/workflows/mantis-discord-smoke.yml +++ b/.github/workflows/mantis-discord-smoke.yml @@ -25,7 +25,6 @@ concurrency: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.x" - PNPM_VERSION: "11.0.8" OPENCLAW_BUILD_PRIVATE_QA: "1" OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1" @@ -142,7 +141,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Build private QA runtime diff --git a/.github/workflows/mantis-discord-status-reactions.yml b/.github/workflows/mantis-discord-status-reactions.yml index e92eab98665b..984b8f807869 100644 --- a/.github/workflows/mantis-discord-status-reactions.yml +++ b/.github/workflows/mantis-discord-status-reactions.yml @@ -32,7 +32,6 @@ concurrency: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.x" - PNPM_VERSION: "11.0.8" OPENCLAW_BUILD_PRIVATE_QA: "1" OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1" @@ -255,7 +254,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Build Mantis harness diff --git a/.github/workflows/mantis-discord-thread-attachment.yml b/.github/workflows/mantis-discord-thread-attachment.yml index a1bf1f493dcd..c896c5b61381 100644 --- a/.github/workflows/mantis-discord-thread-attachment.yml +++ b/.github/workflows/mantis-discord-thread-attachment.yml @@ -32,7 +32,6 @@ concurrency: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.x" - PNPM_VERSION: "11.0.8" OPENCLAW_BUILD_PRIVATE_QA: "1" OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1" @@ -245,7 +244,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Build Mantis harness diff --git a/.github/workflows/mantis-slack-desktop-smoke.yml b/.github/workflows/mantis-slack-desktop-smoke.yml index 8c6dd83a9d9b..855c67aa4844 100644 --- a/.github/workflows/mantis-slack-desktop-smoke.yml +++ b/.github/workflows/mantis-slack-desktop-smoke.yml @@ -55,7 +55,6 @@ concurrency: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.x" - PNPM_VERSION: "11.0.8" OPENCLAW_BUILD_PRIVATE_QA: "1" OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1" CRABBOX_REF: main @@ -162,7 +161,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Build Mantis harness diff --git a/.github/workflows/mantis-telegram-desktop-proof.yml b/.github/workflows/mantis-telegram-desktop-proof.yml index ad4cb00a072b..becc8f27a418 100644 --- a/.github/workflows/mantis-telegram-desktop-proof.yml +++ b/.github/workflows/mantis-telegram-desktop-proof.yml @@ -45,7 +45,6 @@ permissions: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.x" - PNPM_VERSION: "11.0.8" OPENCLAW_BUILD_PRIVATE_QA: "1" OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1" CRABBOX_REF: main @@ -356,7 +355,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Setup Go for Crabbox CLI @@ -618,7 +616,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Download existing proof artifact diff --git a/.github/workflows/mantis-telegram-live.yml b/.github/workflows/mantis-telegram-live.yml index a3fc2864a6b7..2d6ae035b055 100644 --- a/.github/workflows/mantis-telegram-live.yml +++ b/.github/workflows/mantis-telegram-live.yml @@ -41,7 +41,6 @@ permissions: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.x" - PNPM_VERSION: "11.0.8" OPENCLAW_BUILD_PRIVATE_QA: "1" OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1" CRABBOX_REF: main @@ -320,7 +319,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Build Mantis harness diff --git a/.github/workflows/npm-telegram-beta-e2e.yml b/.github/workflows/npm-telegram-beta-e2e.yml index 315c3c841892..1b4a6c5b4d2b 100644 --- a/.github/workflows/npm-telegram-beta-e2e.yml +++ b/.github/workflows/npm-telegram-beta-e2e.yml @@ -104,7 +104,6 @@ concurrency: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.15.0" - PNPM_VERSION: "11.0.8" jobs: run_package_telegram_e2e: @@ -147,7 +146,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Validate inputs and secrets diff --git a/.github/workflows/openclaw-cross-os-release-checks-reusable.yml b/.github/workflows/openclaw-cross-os-release-checks-reusable.yml index a14c302edde3..addbec8a4b8d 100644 --- a/.github/workflows/openclaw-cross-os-release-checks-reusable.yml +++ b/.github/workflows/openclaw-cross-os-release-checks-reusable.yml @@ -193,7 +193,6 @@ concurrency: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.15.0" - PNPM_VERSION: "11.0.8" OPENCLAW_REPOSITORY: openclaw/openclaw TSX_VERSION: "4.21.0" OPENCLAW_CROSS_OS_OPENAI_MODEL: ${{ inputs.openai_model || vars.OPENCLAW_CROSS_OS_OPENAI_MODEL || 'openai/gpt-5.5' }} @@ -352,18 +351,17 @@ jobs: persist-credentials: false submodules: recursive - - name: Setup pnpm - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 - with: - version: ${{ env.PNPM_VERSION }} - run_install: false - - name: Setup Node.js uses: actions/setup-node@v6 with: node-version: ${{ env.NODE_VERSION }} - cache: pnpm - cache-dependency-path: ${{ inputs.candidate_artifact_name == '' && 'source/pnpm-lock.yaml' || 'workflow/pnpm-lock.yaml' }} + + - name: Setup pnpm + uses: ./workflow/.github/actions/setup-pnpm-store-cache + with: + package-manager-file: ${{ inputs.candidate_artifact_name == '' && 'source/package.json' || 'workflow/package.json' }} + lockfile-path: ${{ inputs.candidate_artifact_name == '' && 'source/pnpm-lock.yaml' || 'workflow/pnpm-lock.yaml' }} + use-actions-cache: ${{ inputs.candidate_artifact_name == '' && 'true' || 'false' }} - name: Ensure pnpm store cache directory exists run: mkdir -p "$(pnpm store path --silent)" @@ -540,17 +538,18 @@ jobs: fetch-depth: 1 persist-credentials: false - - name: Setup pnpm - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 - with: - version: ${{ env.PNPM_VERSION }} - run_install: false - - name: Setup Node.js uses: actions/setup-node@v6 with: node-version: ${{ env.NODE_VERSION }} + - name: Setup pnpm + uses: ./workflow/.github/actions/setup-pnpm-store-cache + with: + package-manager-file: workflow/package.json + lockfile-path: workflow/pnpm-lock.yaml + use-actions-cache: "false" + - name: Download candidate artifact uses: actions/download-artifact@v8 with: diff --git a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml index fe782ee2619a..623ae80b4d66 100644 --- a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml +++ b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml @@ -308,7 +308,6 @@ permissions: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.15.0" - PNPM_VERSION: "11.0.8" jobs: validate_selected_ref: @@ -491,7 +490,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Validate live cache credentials @@ -539,7 +537,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Build dist for repo E2E @@ -584,7 +581,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Build dist for special E2E @@ -784,7 +780,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Hydrate live auth/profile inputs @@ -1021,7 +1016,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Hydrate live auth/profile inputs @@ -1178,7 +1172,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Validate Open WebUI credentials @@ -1338,7 +1331,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Download current-run OpenClaw Docker E2E package @@ -1682,7 +1674,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Hydrate live auth/profile inputs @@ -1801,7 +1792,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Normalize provider allowlist @@ -2171,7 +2161,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Hydrate live auth/profile inputs @@ -2389,7 +2378,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Hydrate live auth/profile inputs @@ -2608,7 +2596,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Hydrate live auth/profile inputs diff --git a/.github/workflows/openclaw-npm-release.yml b/.github/workflows/openclaw-npm-release.yml index f0293f987706..483dec9eb79e 100644 --- a/.github/workflows/openclaw-npm-release.yml +++ b/.github/workflows/openclaw-npm-release.yml @@ -41,7 +41,6 @@ concurrency: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.15.0" - PNPM_VERSION: "11.0.8" jobs: # PLEASE DON'T ADD LONG-RUNNING OR FLAKY CHECKS TO THE npm RELEASE PATH. @@ -118,7 +117,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Ensure version is not already published @@ -495,7 +493,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "false" - name: Ensure version is not already published diff --git a/.github/workflows/openclaw-release-checks.yml b/.github/workflows/openclaw-release-checks.yml index e0cbf857b9cd..f8475466d6de 100644 --- a/.github/workflows/openclaw-release-checks.yml +++ b/.github/workflows/openclaw-release-checks.yml @@ -91,7 +91,6 @@ concurrency: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.15.0" - PNPM_VERSION: "11.0.8" OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL || 'openai/gpt-5.5' }} jobs: @@ -487,7 +486,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" install-deps: "false" @@ -773,7 +771,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Build private QA runtime @@ -845,7 +842,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Download parity lane artifacts @@ -911,7 +907,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Build private QA runtime @@ -1027,7 +1022,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Download runtime parity artifacts @@ -1080,7 +1074,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Build private QA runtime @@ -1160,7 +1153,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Validate required QA credential env @@ -1256,7 +1248,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Validate required QA credential env @@ -1355,7 +1346,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Validate required QA credential env @@ -1451,7 +1441,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Validate required QA credential env diff --git a/.github/workflows/openclaw-release-publish.yml b/.github/workflows/openclaw-release-publish.yml index 097b9725df2c..399913d45d69 100644 --- a/.github/workflows/openclaw-release-publish.yml +++ b/.github/workflows/openclaw-release-publish.yml @@ -71,7 +71,6 @@ concurrency: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.15.0" - PNPM_VERSION: "11.0.8" jobs: resolve_release_target: @@ -361,7 +360,6 @@ jobs: uses: ./.github/actions/setup-node-env with: install-bun: "false" - cache-key-suffix: release-publish - name: Dispatch publish workflows env: diff --git a/.github/workflows/package-acceptance.yml b/.github/workflows/package-acceptance.yml index 9f3589ce6487..9df4e4a285ca 100644 --- a/.github/workflows/package-acceptance.yml +++ b/.github/workflows/package-acceptance.yml @@ -288,7 +288,6 @@ concurrency: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.15.0" - PNPM_VERSION: "11.0.8" PACKAGE_ARTIFACT_NAME: package-under-test jobs: @@ -320,7 +319,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: ${{ inputs.source == 'ref' && 'true' || 'false' }} install-deps: "false" diff --git a/.github/workflows/plugin-clawhub-release.yml b/.github/workflows/plugin-clawhub-release.yml index cdf5ae1ce6e5..ba684d42387c 100644 --- a/.github/workflows/plugin-clawhub-release.yml +++ b/.github/workflows/plugin-clawhub-release.yml @@ -32,7 +32,6 @@ concurrency: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.15.0" - PNPM_VERSION: "11.0.8" CLAWHUB_REGISTRY: "https://clawhub.ai" CLAWHUB_REPOSITORY: "openclaw/clawhub" # Pinned to a reviewed ClawHub commit so release behavior stays reproducible. @@ -61,7 +60,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "false" - name: Resolve checked-out ref @@ -264,7 +262,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" install-deps: "true" @@ -359,7 +356,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" install-deps: "true" diff --git a/.github/workflows/plugin-npm-release.yml b/.github/workflows/plugin-npm-release.yml index 819e1ba1f8d2..656038d5ed71 100644 --- a/.github/workflows/plugin-npm-release.yml +++ b/.github/workflows/plugin-npm-release.yml @@ -44,7 +44,6 @@ concurrency: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.15.0" - PNPM_VERSION: "11.0.8" jobs: preview_plugins_npm: @@ -68,7 +67,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "false" - name: Resolve checked-out ref @@ -230,7 +228,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "false" - name: Preview publish command @@ -264,7 +261,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "false" - name: Ensure version is not already published diff --git a/.github/workflows/qa-live-transports-convex.yml b/.github/workflows/qa-live-transports-convex.yml index b1fac30e812a..d19bf4b5a0ff 100644 --- a/.github/workflows/qa-live-transports-convex.yml +++ b/.github/workflows/qa-live-transports-convex.yml @@ -51,7 +51,6 @@ concurrency: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" NODE_VERSION: "24.x" - PNPM_VERSION: "11.0.8" OPENCLAW_CI_OPENAI_MODEL: ${{ vars.OPENCLAW_CI_OPENAI_MODEL || 'openai/gpt-5.5' }} OPENCLAW_BUILD_PRIVATE_QA: "1" OPENCLAW_ENABLE_PRIVATE_QA_CLI: "1" @@ -182,7 +181,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Build private QA runtime @@ -252,7 +250,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Validate required QA credential env @@ -338,7 +335,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Validate required QA credential env @@ -424,7 +420,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Validate required QA credential env @@ -499,7 +494,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Validate required QA credential env @@ -594,7 +588,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Validate required QA credential env @@ -692,7 +685,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Validate required QA credential env @@ -787,7 +779,6 @@ jobs: uses: ./.github/actions/setup-node-env with: node-version: ${{ env.NODE_VERSION }} - pnpm-version: ${{ env.PNPM_VERSION }} install-bun: "true" - name: Validate required QA credential env diff --git a/package.json b/package.json index a51b60bc1727..5889b0c1d7aa 100644 --- a/package.json +++ b/package.json @@ -1874,5 +1874,5 @@ "engines": { "node": ">=22.19.0" }, - "packageManager": "pnpm@11.1.0+sha512.0c44e842e5686b2c061a81adda8b2258bd8818e9704b2cf2c63d56b931a7b2e910092e085027003b96ca3911ab56a07f6df5abaed2be9925034cdd686a535b14" + "packageManager": "pnpm@11.2.2+sha512.36e6621fad506178936455e70247b8808ef4ec25797a9f437a93281a020484e2607f6a469a22e982987c3dbb8866e3071514ab10a4a1749e06edcd1ec118436f" } diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index c131193eca36..ed79f99464bd 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -23,13 +23,24 @@ minimumReleaseAgeExclude: - "@cloudflare/workers-types" - "@hono/node-server" - "@mariozechner/*" + - "@aws-sdk/client-bedrock-runtime@3.1051.0" + - "@aws-sdk/client-bedrock@3.1051.0" + - "@aws-sdk/client-cognito-identity@3.1051.0" + - "@aws-sdk/client-s3@3.1051.0" - "@aws-sdk/core" + - "@aws-sdk/credential-providers@3.1051.0" + - "@aws-sdk/s3-request-presigner@3.1051.0" + - "@aws-sdk/token-providers@3.1051.0" + - "@copilotkit/aimock@1.27.0" - "@earendil-works/pi-agent-core" - "@earendil-works/pi-ai" - "@earendil-works/pi-coding-agent" - "@earendil-works/pi-tui" + - "@google/genai@2.5.0" + - "@larksuiteoapi/node-sdk@1.65.0" - "@openai/codex" - "@openai/codex-*" + - "@pierre/diffs@1.2.1" - "@smithy/shared-ini-file-loader@4.5.1" - "@typescript/native-preview*" - "@types/node" diff --git a/test/scripts/mantis-telegram-desktop-proof-workflow.test.ts b/test/scripts/mantis-telegram-desktop-proof-workflow.test.ts index e214284d79a0..f4b4f028af97 100644 --- a/test/scripts/mantis-telegram-desktop-proof-workflow.test.ts +++ b/test/scripts/mantis-telegram-desktop-proof-workflow.test.ts @@ -48,19 +48,6 @@ type Workflow = { permissions?: Record; }; -type PackageJson = { - packageManager?: string; -}; - -function repositoryPnpmMajor(): string { - const packageJson = JSON.parse(readFileSync(PACKAGE_JSON, "utf8")) as PackageJson; - const major = packageJson.packageManager?.match(/^pnpm@(\d+)\./)?.[1]; - if (!major) { - throw new Error(`Missing pnpm packageManager pin in ${PACKAGE_JSON}`); - } - return major; -} - function workflowStep(name: string): WorkflowStep { const workflow = parse(readFileSync(WORKFLOW, "utf8")) as Workflow; const steps = workflow.jobs?.run_telegram_desktop_proof?.steps ?? []; @@ -89,13 +76,12 @@ function filesUnder(root: string): string[] { } describe("Mantis Telegram Desktop proof workflow", () => { - it("runs with the repository pnpm major", () => { + it("uses repository pnpm setup defaults", () => { const workflow = parse(readFileSync(WORKFLOW, "utf8")) as Workflow; const liveWorkflow = parse(readFileSync(LIVE_WORKFLOW, "utf8")) as Workflow; - const pnpmMajor = repositoryPnpmMajor(); - expect(workflow.env?.PNPM_VERSION?.split(".", 1)[0]).toBe(pnpmMajor); - expect(liveWorkflow.env?.PNPM_VERSION?.split(".", 1)[0]).toBe(pnpmMajor); + expect(workflow.env?.PNPM_VERSION).toBeUndefined(); + expect(liveWorkflow.env?.PNPM_VERSION).toBeUndefined(); }); it("serializes all Mantis Telegram account runs without workflow concurrency cancellation", () => { diff --git a/test/scripts/package-acceptance-workflow.test.ts b/test/scripts/package-acceptance-workflow.test.ts index ee87b5bbdf4e..273b5af2d36a 100644 --- a/test/scripts/package-acceptance-workflow.test.ts +++ b/test/scripts/package-acceptance-workflow.test.ts @@ -1,4 +1,4 @@ -import { readFileSync } from "node:fs"; +import { readdirSync, readFileSync } from "node:fs"; import { describe, expect, it } from "vitest"; import { parse } from "yaml"; @@ -6,6 +6,7 @@ const PACKAGE_ACCEPTANCE_WORKFLOW = ".github/workflows/package-acceptance.yml"; const LIVE_E2E_WORKFLOW = ".github/workflows/openclaw-live-and-e2e-checks-reusable.yml"; const NPM_TELEGRAM_WORKFLOW = ".github/workflows/npm-telegram-beta-e2e.yml"; const PACKAGE_JSON = "package.json"; +const SETUP_PNPM_STORE_CACHE_ACTION = ".github/actions/setup-pnpm-store-cache/action.yml"; const RELEASE_CHECKS_WORKFLOW = ".github/workflows/openclaw-release-checks.yml"; const RELEASE_PUBLISH_WORKFLOW = ".github/workflows/openclaw-release-publish.yml"; const FULL_RELEASE_VALIDATION_WORKFLOW = ".github/workflows/full-release-validation.yml"; @@ -40,6 +41,12 @@ function readWorkflow(path: string): Workflow { return parse(readFileSync(path, "utf8")) as Workflow; } +function workflowPaths(): string[] { + return readdirSync(".github/workflows") + .filter((name) => name.endsWith(".yml")) + .map((name) => `.github/workflows/${name}`); +} + function workflowJob(path: string, jobName: string): WorkflowJob { const job = readWorkflow(path).jobs?.[jobName]; if (!job) { @@ -66,6 +73,33 @@ function expectTextToIncludeAll(text: string | undefined, snippets: string[]): v } describe("package acceptance workflow", () => { + it("keeps pnpm version selection sourced from packageManager", () => { + const packageJson = JSON.parse(readFileSync(PACKAGE_JSON, "utf8")) as { + packageManager?: string; + }; + const setupPnpmAction = readFileSync(SETUP_PNPM_STORE_CACHE_ACTION, "utf8"); + + expect(packageJson.packageManager).toMatch(/^pnpm@\d+\.\d+\.\d+\+sha512\.[a-f0-9]+$/u); + expect(setupPnpmAction).toContain("uses: pnpm/action-setup@"); + expect(setupPnpmAction).toContain("package_json_file: ${{ inputs.package-manager-file }}"); + expect(setupPnpmAction).toContain("cache: ${{ inputs.use-actions-cache }}"); + expect(setupPnpmAction).toContain("cache_dependency_path: ${{ inputs.lockfile-path }}"); + expect(setupPnpmAction).not.toContain("actions/cache"); + expect(setupPnpmAction).not.toContain("shasum"); + expect(setupPnpmAction).not.toContain("PNPM_VERSION_INPUT"); + expect(setupPnpmAction).not.toContain("version: ${{ inputs.pnpm-version }}"); + + const setupNodeAction = readFileSync(".github/actions/setup-node-env/action.yml", "utf8"); + expect(setupNodeAction).toContain("use-actions-cache: ${{ inputs.use-actions-cache }}"); + + for (const workflowPath of workflowPaths()) { + const workflowText = readFileSync(workflowPath, "utf8"); + expect(workflowText, workflowPath).not.toContain("PNPM_VERSION"); + expect(workflowText, workflowPath).not.toContain("pnpm-version:"); + expect(workflowText, workflowPath).not.toContain("pnpm/action-setup"); + } + }); + it("resolves candidate package sources before reusing Docker E2E lanes", () => { const workflow = readFileSync(PACKAGE_ACCEPTANCE_WORKFLOW, "utf8"); @@ -1036,9 +1070,7 @@ describe("package artifact reuse", () => { for (const workflowPath of releaseWorkflowPaths) { const workflow = readWorkflow(workflowPath); expect(workflow.env?.NODE_VERSION, workflowPath).toBe("24.15.0"); - if (workflow.env?.PNPM_VERSION !== undefined) { - expect(workflow.env.PNPM_VERSION, workflowPath).toBe("11.0.8"); - } + expect(workflow.env?.PNPM_VERSION, workflowPath).toBeUndefined(); } expect(fullRelease.jobs?.release_checks?.["timeout-minutes"]).toBe(