[codex] pnpm化とリリース待機を7日に統一#771
Conversation
68dcdd3 to
51ee9e0
Compare
51ee9e0 to
2a1c201
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2a1c201608
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "description": "setup-android for self hosted runner", | ||
| "type": "module", | ||
| "main": "dist/setup/index.js", | ||
| "packageManager": "pnpm@11.7.0", |
There was a problem hiding this comment.
Migrate the patch-package patch before using pnpm
On a fresh CI install this switch to pnpm still leaves postinstall: patch-package and patches/@actions+cache+6.1.0.patch in place, but patch-package v8 only auto-applies patches for npm/yarn lockfiles and recommends pnpm's native patch support instead. Since this commit deletes package-lock.json, pnpm install will run the postinstall with no supported lockfile, causing the new lint/check-dist installs to fail before any build steps (or leaving the @actions/cache patch unapplied if bypassed). Please migrate the existing patch to pnpm patchedDependencies before removing the npm lockfile.
Useful? React with 👍 / 👎.
概要
pnpm-lock.yamlとpackageManagerを追加minimumReleaseAgeを 7 日に設定minimumReleaseAgeも全体で 7 日に統一@actions/execを直接依存に明示dist/を再生成目的
サプライチェーン攻撃のリスクを下げるため、pnpm の供給網ポリシーと Renovate の更新待機時間を揃えます。
競合解消
mainに rebasemain側の@actions/cache@6.1.0更新を取り込みpackage-lock.jsonは削除、pnpm-lock.yamlを再生成dist/を pnpm で再生成確認
pnpm config get minimumReleaseAge --location project->10080CI=true pnpm installpnpm run allgit diff --check