chore: migrate to pnpm and enable minimum release age#616
Open
chore: migrate to pnpm and enable minimum release age#616
Conversation
github-actions
bot
added
the
t-tooling
B4nan
force-pushed
the
chore/migrate-to-pnpm
branch
from
a71dcdd to
ea34945
Compare
B4nan
force-pushed
the
chore/migrate-to-pnpm
branch
from
ea34945 to
a74838e
Compare
Migrates from npm workspaces to pnpm workspaces and adds a 1-day minimum release age supply-chain guard at the package-manager layer (pnpm-workspace.yaml) and at the Renovate layer. Internal `@apify/*` and `@crawlee/*` packages are whitelisted at both layers for immediate updates. Notable changes: - package.json: drop "workspaces" (moved to pnpm-workspace.yaml); set packageManager to [email protected]; add rimraf as explicit devDep (was previously relying on npm transitive hoisting) - lerna.json: npmClient: "pnpm" - .npmrc: node-linker=hoisted (flat node_modules layout) - packages/*/package.json scripts: "npm run X" -> "pnpm X" - CI workflows: add pnpm/action-setup, use pnpm install --frozen-lockfile and pnpm/pnpm exec in place of npm/npx; drop Node 16 from matrix (pnpm 10 requires Node 18+) - renovate.json: minimumReleaseAge "1 day", internalChecksFilter "strict", @apify/* and @crawlee/* whitelist; drop npm constraint - Docs: CONTRIBUTING.md and CLAUDE.md updated for pnpm commands Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Adopts the caching pattern from apify/apify-cli#1068: a reusable composite action at .github/actions/pnpm-install that handles pnpm setup, pnpm store caching (keyed by year-month + lockfile hash), and the install. Workflows now delegate their install step to `uses: ./.github/actions/pnpm-install` instead of inlining each piece. setup-node remains in workflows (without the cache: pnpm parameter, since caching is handled inside the composite). Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Replaces the local .github/actions/pnpm-install composite copy with the shared one from apify/workflows@main. Identical behavior, less duplication.
…m release-age gate
B4nan
force-pushed
the
chore/migrate-to-pnpm
branch
from
cd33001 to
d1ec78b
Compare
Silences npm warnings about unknown options like node-linker; pnpm reads the same keys from pnpm-workspace.yaml in camelCase form.
Block accidental npm/yarn install — npm 10.5+ and pnpm 10.x both honor devEngines.packageManager and refuse to run when it doesn't match.
…-workspace exclusions Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
devEngines.packageManager breaks pnpm commands that delegate to npm (pnpm version, pnpm pkg set, etc). Use the battle-tested only-allow approach instead (same as Vite, Vue, Astro).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pilot of the org-wide supply-chain hardening + pnpm migration plan (first of ~14 repos). This PR migrates
apify-shared-jsfrom npm workspaces to pnpm workspaces and adds a 1-day minimum release age guard at two layers so newly-published package versions cannot be installed for 24h after they hit the registry.minimumReleaseAge: 1440inpnpm-workspace.yamlblockspnpm installon versions < 1 day oldminimumReleaseAge: "1 day"delays PR creation until the version has aged@apify/*and@crawlee/*are excluded at both layers so internal releases ship immediatelyChanges
package.json: drop"workspaces"(moved topnpm-workspace.yaml); setpackageManagerto[email protected]; addrimrafas explicit devDep (was previously relying on npm transitive hoisting — pnpm's hoisted linker does not link undeclared transitive bins)lerna.json:npmClient: "pnpm"solerna run ...invokes pnpm.npmrc:node-linker=hoisted— keeps flatnode_modulesfor the same debugging ergonomics as npmpackages/*/package.jsonscripts:npm run X→pnpm X.github/actions/pnpm-installcomposite with pnpm-store caching (keyed by year-month + lockfile hash); workflows delegate install touses: ./.github/actions/pnpm-install. Node matrix: drop 16 (pnpm 10 needs Node ≥ 18), add 24 to cover current LTSrenovate.json:minimumReleaseAge: "1 day",internalChecksFilter: "strict", whitelistpackageRulefor@apify/*and@crawlee/*; drop old npm constraintCONTRIBUTING.md+CLAUDE.md: updated command examplesOpened as draft — pilot for the remaining ~13 repos in the same migration.
🤖 Generated with Claude Code