chore: sync with upstream pnpm/action-setup v4.2.0 (#5)

* Fix multiline run_install example in README.md (pnpm#167)

* Remove --frozen-lockfile from examples (pnpm#171)

* feat: support installation from custom NPM registry (pnpm#179)

copy .npmrc from GitHub workspace if it exists so that PNPM respects custom
registry configurations when self-installing

* Update README.md (pnpm#175)

fix the string run_install example

* Remove unused `@types/node-fetch` dependency (pnpm#186)

* Clarify that package_json_file is relative to GITHUB_WORKSPACE (pnpm#184)

* Clarify that package_json_file is relative to GITHUB_WORKSPACE

Clarify the description for package_json_file parameter to specify that the path must be relative to the repository root.

* Apply suggestion from @zkochan

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>

* feat: store caching (pnpm#188)

* add pnpm store caching

* style: format

* no semicolons
* no star imports
* import order

* style: no star imports

---------

Co-authored-by: khai96_ <hvksmr1996@gmail.com>

* refactor: remove star imports (pnpm#196)

* fix(ci): exclude macos (pnpm#197)

* ci: pin github actions (pnpm#199)

* fix: regenerate lockfile to match package.json overrides

* fix(security): override fast-xml-parser to >=5.3.4

Resolves GHSA-37qj-frw5-hhjh (RangeError DoS via numeric entities)
in transitive dependency @actions/cache > @azure/storage-blob >
@azure/core-xml > fast-xml-parser.

* fix: resolve lint, build, and security audit failures

- Fix prefer-const lint error in cache-restore/run.ts
- Override undici to >=6.23.0 (GHSA-g9mf-h72j-4rw9)
- Rebuild dist to match source changes

* fix(ci): exclude dist from CodeQL analysis

dist/index.js is generated by ncc bundling — CodeQL flags dependency
code as security issues. Ignore the dist directory since it's not
source code.

---------

Co-authored-by: Matthias <matthias.dailey@gmail.com>
Co-authored-by: Adrian Riedel <Eynorey@users.noreply.github.com>
Co-authored-by: Roman Usherenko <roman.usherenko@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Chris Martin <ch.martin@gmail.com>
Co-authored-by: Zoltan Kochan <z@kochan.io>
Co-authored-by: Jeremiasz Major <jrh.mjr@gmail.com>
Co-authored-by: khai96_ <hvksmr1996@gmail.com>
Co-authored-by: Boosted-Bonobo <boostedbonobo1@outlook.com>

Author: 10 people

.github/workflows/security.yml

@@ -37,6 +37,9 @@ jobs:
         uses: github/codeql-action/init@v3
         with:
           languages: javascript
+          config: |
+            paths-ignore:
+              - dist
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3

.github/workflows/test.yaml

@@ -22,7 +22,7 @@ jobs:
           - windows-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Run the action
         uses: ./
@@ -51,7 +51,7 @@ jobs:
           - windows-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Run the action
         uses: ./
@@ -74,16 +74,16 @@ jobs:
       fail-fast: false
       matrix:
         os:
+          # macos is excluded from this test because node 12 is no longer available on this platform
           - ubuntu-latest
-          - macos-latest
           - windows-latest
 
         standalone:
           - true
           - false
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Run the action
         uses: ./
@@ -92,7 +92,7 @@ jobs:
           standalone: ${{ matrix.standalone }}
 
       - name: install Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           # Use Node.js 16 - has ARM64 support and works with pnpm standalone tests
           node-version: 16
@@ -160,7 +160,7 @@ jobs:
                 - yarn
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Run the action
         uses: ./

CLAUDE.md

@@ -0,0 +1,7 @@
+# Claude Code Project Configuration
+
+## Git Conventions
+
+- Do NOT add `Co-Authored-By` lines to commit messages
+- Do NOT add "Generated with Claude Code" to PR descriptions
+- Keep commit messages concise and conventional-commit style

README.md

@@ -40,7 +40,15 @@ If `run_install` is a YAML string representation of either an object or an array
 
 #### `run_install.args`
 
-**Optional** (_type:_ `string[]`) Additional arguments after `pnpm [recursive] install`, e.g. `[--frozen-lockfile, --strict-peer-dependencies]`.
+**Optional** (_type:_ `string[]`) Additional arguments after `pnpm [recursive] install`, e.g. `[--ignore-scripts, --strict-peer-dependencies]`.
+
+### `cache`
+
+**Optional** (_type:_ `boolean`, _default:_ `false`) Whether to cache the pnpm store directory.
+
+### `cache_dependency_path`
+
+**Optional** (_type:_ `string|string[]`, _default:_ `pnpm-lock.yaml`) File path to the pnpm lockfile, which contents hash will be used as a cache key.
 
 ### `package_json_file`
 
@@ -119,7 +127,7 @@ jobs:
           version: 10
           run_install: |
             - recursive: true
-              args: [--frozen-lockfile, --strict-peer-dependencies]
+              args: [--strict-peer-dependencies]
             - args: [--global, gulp, prettier, typescript]
 ```
 
@@ -142,13 +150,7 @@ jobs:
         name: Install pnpm
         with:
           version: 10
-          run_install: false
-
-      - name: Install Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: 'pnpm'
+          cache: true
 
       - name: Install dependencies
         run: pnpm install

action.yml

@@ -15,8 +15,16 @@ inputs:
     description: If specified, run `pnpm install`
     required: false
     default: 'null'
+  cache:
+    description: Whether to cache the pnpm store directory
+    required: false
+    default: 'false'
+  cache_dependency_path:
+    description: File path to the pnpm lockfile, which contents hash will be used as a cache key
+    required: false
+    default: 'pnpm-lock.yaml'
   package_json_file:
-    description: File path to the package.json to read "packageManager" configuration
+    description: File path to the package.json to read "packageManager" configuration. This path must be relative to the repository root (GITHUB_WORKSPACE).
     required: false
     default: 'package.json'
   standalone:

dist/index.js

@@ -5,7 +5,9 @@
   },
   "pnpm": {
     "overrides": {
-      "form-data": ">=4.0.4"
+      "form-data": ">=4.0.4",
+      "fast-xml-parser": ">=5.3.4",
+      "undici": ">=6.23.0"
     }
   },
   "scripts": {
@@ -18,10 +20,12 @@
     "check": "pnpm lint && pnpm typecheck"
   },
   "dependencies": {
+    "@actions/cache": "^4.1.0",
     "@actions/core": "^1.10.1",
+    "@actions/exec": "^1.1.1",
+    "@actions/glob": "^0.5.0",
     "@types/expand-tilde": "^2.0.2",
     "@types/node": "^20.11.5",
-    "@types/node-fetch": "^2.6.11",
     "expand-tilde": "^2.0.2",
     "yaml": "^2.3.4",
     "zod": "^3.22.4"