Skip to content

[codex] pnpm化とリリース待機を7日に統一#771

Merged
amyu merged 1 commit into
mainfrom
codex/pnpm-minimum-release-age
Jun 29, 2026
Merged

[codex] pnpm化とリリース待機を7日に統一#771
amyu merged 1 commit into
mainfrom
codex/pnpm-minimum-release-age

Conversation

@amyu

@amyu amyu commented Jun 29, 2026

Copy link
Copy Markdown
Owner

概要

  • npm から pnpm に移行し、pnpm-lock.yamlpackageManager を追加
  • pnpm の minimumReleaseAge を 7 日に設定
  • Renovate の minimumReleaseAge も全体で 7 日に統一
  • CI の install / lint / dist check を pnpm に更新
  • pnpm の厳密な依存解決に合わせて @actions/exec を直接依存に明示
  • GitHub Action 用の dist/ を再生成

目的

サプライチェーン攻撃のリスクを下げるため、pnpm の供給網ポリシーと Renovate の更新待機時間を揃えます。

競合解消

  • 最新 main に rebase
  • main 側の @actions/cache@6.1.0 更新を取り込み
  • package-lock.json は削除、pnpm-lock.yaml を再生成
  • dist/ を pnpm で再生成

確認

  • pnpm config get minimumReleaseAge --location project -> 10080
  • CI=true pnpm install
  • pnpm run all
  • git diff --check

@amyu amyu force-pushed the codex/pnpm-minimum-release-age branch from 68dcdd3 to 51ee9e0 Compare June 29, 2026 13:38
@amyu amyu force-pushed the codex/pnpm-minimum-release-age branch from 51ee9e0 to 2a1c201 Compare June 29, 2026 13:43
@amyu amyu marked this pull request as ready for review June 29, 2026 13:44
@amyu amyu merged commit 1e45a81 into main Jun 29, 2026
37 checks passed
@amyu amyu deleted the codex/pnpm-minimum-release-age branch June 29, 2026 13:51

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2a1c201608

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread package.json
"description": "setup-android for self hosted runner",
"type": "module",
"main": "dist/setup/index.js",
"packageManager": "pnpm@11.7.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Migrate the patch-package patch before using pnpm

On a fresh CI install this switch to pnpm still leaves postinstall: patch-package and patches/@actions+cache+6.1.0.patch in place, but patch-package v8 only auto-applies patches for npm/yarn lockfiles and recommends pnpm's native patch support instead. Since this commit deletes package-lock.json, pnpm install will run the postinstall with no supported lockfile, causing the new lint/check-dist installs to fail before any build steps (or leaving the @actions/cache patch unapplied if bypassed). Please migrate the existing patch to pnpm patchedDependencies before removing the npm lockfile.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant