Skip to content

chore: Harden pnpm usage in release workflow#6566

Open
erezrokah wants to merge 5 commits intocloudflare:mainfrom
erezrokah:claude/pnpm-hardening
Open

chore: Harden pnpm usage in release workflow#6566
erezrokah wants to merge 5 commits intocloudflare:mainfrom
erezrokah:claude/pnpm-hardening

Conversation

@erezrokah
Copy link
Copy Markdown

@erezrokah erezrokah commented Apr 12, 2026
edited
Loading

Ensure esbuild resolves from the lockfile in the publish-wrapper job by installing dependencies with pnpm before running npx esbuild.

@erezrokah erezrokah marked this pull request as ready for review April 12, 2026 12:49
@erezrokah erezrokah requested review from a team as code owners April 12, 2026 12:49
@erezrokah erezrokah requested review from Copilot and penalosa April 12, 2026 12:49
Copilot AI reviewed Apr 12, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the release pipeline’s Node tooling so CI and Docker builds use a consistent pnpm version (derived from package.json) and avoid ad-hoc tool downloads during the publish workflow.

Changes:

  • Install pnpm in the publish-wrapper job before running esbuild, and run pnpm install so tooling can resolve from the workspace.
  • Update Dockerfile.release to install a pnpm version derived from package.json’s packageManager field.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
Dockerfile.release Installs pnpm based on the repo’s packageManager field before running pnpm install and the Bazel build.
.github/workflows/release.yml Adds pnpm/action-setup + pnpm install to the publish-wrapper job prior to npx esbuild usage.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Dockerfile.release Outdated
Comment thread .github/workflows/release.yml
Comment thread .github/workflows/release.yml
@erezrokah
Copy link
Copy Markdown
Author

erezrokah commented Apr 12, 2026

Addressed review comments:

  • Dockerfile.release validation: Added check that packageManager exists and starts with pnpm@, with a clear error message if not (b834f56)
  • pnpm store caching: Added cache: 'pnpm' to actions/setup-node in publish-wrapper (b834f56)
  • --frozen-lockfile: Not added explicitly — pnpm defaults to --frozen-lockfile when CI=true, which is set automatically in GitHub Actions

@erezrokah
Harden pnpm usage in CI and Docker builds
5b60090 
- Add pnpm setup, caching, and install step to publish-wrapper job so
  npx esbuild resolves from the lockfile instead of downloading on-the-fly
- Derive pnpm version from packageManager field in Dockerfile.release
  instead of using pnpm@latest, with validation
@erezrokah erezrokah force-pushed the claude/pnpm-hardening branch from 45e76f2 to 5b60090 Compare April 12, 2026 12:58
penalosa
penalosa reviewed Apr 15, 2026
View reviewed changes
Comment thread .github/workflows/release.yml Outdated
Comment thread Dockerfile.release Outdated
@erezrokah erezrokah changed the title chore: Harden pnpm usage in CI and Docker builds chore: Harden pnpm usage in release workflow Apr 15, 2026
@erezrokah erezrokah requested a review from penalosa April 15, 2026 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@penalosa penalosa Awaiting requested review from penalosa

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@erezrokah @penalosa