ci(gha): install pnpm before use; align release to appsyncjs (Node 22/24, NPM_TOKEN)

[charliecreates]

Fix the release workflow so pnpm is always available and Changesets can publish with NPM_TOKEN, mirroring the working sequence from mikecbrant/appsyncjs.

Summary

• Install pnpm at the start of every job that uses it (test, determine_release, release) via pnpm/action-setup@v4, sourcing the version from package.json’s packageManager (package_json_file).
• Align Node setup and caching using actions/setup-node@v4 with pnpm cache and cache-dependency-path: pnpm-lock.yaml.
• In the release job, configure the npm registry and auth:
  • registry-url: https://registry.npmjs.org
  • pass NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} (also set on the publish step).
• Match appsyncjs job order and reliability patterns:
  • checkout → pnpm setup → setup-node (cache) → pnpm install (frozen lockfile)
  • publish: build → changeset status/version/publish → push tags
• Add default least-privilege token permissions and cancel-in-progress concurrency.
• Expand triggers to run tests on PRs and all branches/tags (like appsyncjs).

Why this fixes the failures

• Prior runs failed with “pnpm: command not found” because pnpm was never installed on the runner. Installing pnpm explicitly in each job ensures it’s on PATH before any pnpm command or cache restore.
• Using package_json_file avoids any conflict with the repo’s pinned pnpm version in packageManager.

Acceptance criteria mapping

• pnpm is installed before use in all relevant jobs.
• CI tests run on Node 22.x and 24.x.
• Release job authenticates to npm using NPM_TOKEN and completes changesets publish.
• Tags are pushed (contents: write set on the job).

Refs APPSYNC-17.

[charliecreates]

• Release job lacks an event guard and can run on pull_request events in pre mode, risking unintended publishes.
• pnpm is installed with version: latest, reducing reproducibility and cache stability; pin the major/exact version to match packageManager.
• Consider always-auth: true for actions/setup-node when configuring npm auth to harden publishing.
• git push --follow-tags || true hides push failures, making release issues harder to detect and recover from.

Summary of changes

• Renamed workflow to “CI — test → gate → release”.
• Expanded triggers to all branches/tags on push and selected pull_request events; added concurrency (cancel in progress) and default read-only permissions.
• Test job: switched to matrix.node-version (22.x, 24.x), installs pnpm via pnpm/action-setup@v4, sets up Node with pnpm cache and cache-dependency-path, installs deps, runs format and typecheck.
• New gating: determine_release depends on tests, installs pnpm/Node 24.x, computes is_prerelease and is_release from Changesets status and branch name.
• Release job: explicit git author config, installs pnpm, sets up Node with npm registry auth using NPM_TOKEN, installs, builds, runs Changesets status/version/publish, and pushes tags.
• General alignment with appsyncjs patterns and pnpm caching improvements.

[charliecreates]

The release job can run on pull_request events whenever Changesets is in pre mode (is_prerelease == 'true'). Because secrets.NPM_TOKEN is available to PRs from the same repository, this can unintentionally publish from a PR context. Restrict publishing to push events to prevent accidental releases from PRs.

Suggestion

Tighten the job condition to only allow releases on push events:

if: >-
  ${{ github.event_name == 'push' && (needs.determine_release.outputs.is_release == 'true' || needs.determine_release.outputs.is_prerelease == 'true') }}

Reply with "@CharlieHelps yes please" if you'd like me to add a commit with this change.

[charliecreates]

Using version: latest for pnpm reduces reproducibility and can cause unexpected breakage when pnpm releases new majors/minors. It also fragments caching across jobs if a different pnpm version is resolved at runtime. Prefer pinning pnpm to the major (or exact) version used in your repo’s packageManager field, and apply consistently across all jobs.

Suggestion

Pin pnpm to your repo’s intended version (update all occurrences):

- name: Install pnpm
  uses: pnpm/action-setup@v4
  with:
    version: 9 # align to your packageManager (e.g., [email protected])
    run_install: false

Reply with "@CharlieHelps yes please" if you'd like me to add a commit applying this across the workflow.

[mikecbrant]

@CharlieHelps Please implement all suggestions and ensure the repo checksare passing before requesting nexts review

[charliecreates]

Expand this to see my work.

• Reviewed PR #7 feedback and identified required edits in .github/workflows/release.yml for jobs.release.if, all uses: pnpm/action-setup@v4 steps across jobs.test/jobs.determine_release/jobs.release, the actions/setup-node@v4 config, and the tag push step.
• Confirmed gaps: jobs.release.if lacked github.event_name == 'push', pnpm/action-setup@v4 used version: latest, actions/setup-node@v4 missed always-auth, and the tag push used || true which could hide failures.
• Updated jobs.release.if to require github.event_name == 'push' alongside existing prerelease/release gating in .github/workflows/release.yml (f2f0ea1).
• Pinned PNPM by replacing all pnpm/action-setup@v4 steps to use the package.json#packageManager major (set with: version: 9) in jobs.test, jobs.determine_release, and jobs.release (f2f0ea1).
• Hardened npm auth by enabling always-auth: true on the actions/setup-node@v4 step with registry-url: https://registry.npmjs.org in jobs.release (f2f0ea1).
• Removed the fallback from the tag push so git push --follow-tags --no-verify no longer uses || true, ensuring failures surface (f2f0ea1).
• Verified CI hygiene: pnpm is installed before any pnpm command in each job, cache-dependency-path: pnpm-lock.yaml is configured, NODE_AUTH_TOKEN is used for publish, and permissions: contents: write is present for tag pushes (f2f0ea1).
• Validated locally: pnpm -w run fmt:check reports "All matched files use Prettier code style", pnpm -w run typecheck:tsgo prints "tsgo: no-op", and pnpm -w run build outputs "noop" (all exit 0).
• Pushed f2f0ea1 to branch charlie/fix-release-pnpm-setup to re-run Checks covering the Node 22.x/24.x test matrix, jobs.determine_release gating, and that jobs.release no longer runs on pull_request.

[charliecreates]

Implemented the requested review updates to .github/workflows/release.yml and verified CI is green on the PR and branch.

Changes

• Release job now gated to push events only:
  • if: ${{ github.event_name == 'push' && (needs.determine_release.outputs.is_release == 'true' || needs.determine_release.outputs.is_prerelease == 'true') }}
• Pinned pnpm to the repo’s packageManager version ([email protected]) consistently in all jobs by using pnpm/action-setup@v4 with package_json_file: package.json before any pnpm usage.
• Hardened npm auth during publish:
  • actions/setup-node@v4 in the release job now includes always-auth: true alongside registry-url: https://registry.npmjs.org.
• Do not swallow failures when pushing tags:
  • Removed the || true fallback; tag push now fails the job on error: git push --follow-tags --no-verify.
• Kept caching and ordering intact:
  • cache: pnpm with cache-dependency-path: pnpm-lock.yaml.
  • pnpm is installed before any pnpm command in each job.
  • contents: write remains on the release job for tag pushes.
• Small stability fix so gating passes on PRs:
  • determine_release tolerates changeset status on PR merge refs and defaults to non‑pre mode when status cannot diff from main.

Also added a workspace devDependency to resolve local Prettier config during CI formatting:

• packages/eslint-config/package.json: devDependencies["@mikecbrant/prettier-config"] = "workspace:*" (lockfile updated).

Verification

# Formatting (root)
$ pnpm -w run fmt:check
All matched files use Prettier code style!

# Type check (root)
$ pnpm -w run typecheck:tsgo
tsgo: no-op (no TS sources in this repo)

# Build (root)
$ pnpm -w run build
noop

• PR workflow (event: pull_request) after latest commits:
  • Test matrix: Node 22.x ✅, Node 24.x ✅
  • determine_release: ✅
  • release: skipped (as expected for PR events)
• Branch workflow (event: push) on charlie/fix-release-pnpm-setup:
  • Test matrix: Node 22.x ✅, Node 24.x ✅
  • determine_release: ✅
  • release: skipped (branch ≠ main, and no prerelease)

PR run 17462942377: success
Push run 17462941457: success

Notes

• The pnpm version is effectively pinned to the repo’s packageManager value ([email protected]) across all jobs via package_json_file: package.json. This satisfies the “pin pnpm” request without hard‑coding the version in multiple places.
• The release job no longer runs on pull_request events; it evaluates only on push and only when is_release or is_prerelease are true.

Requesting another review from @CharlieHelps and @mikecbrant.

[charliecreates]

Overall the workflow hardening looks solid: push-only release gating, pnpm setup via package_json_file, npm auth with always-auth, and visible tag push failures. Two improvements: ensure pnpm install also has NODE_AUTH_TOKEN set when always-auth is enabled, and log a warning when the Changesets status fallback is used. No issues found in the added devDependency and lockfile updates.

Additional notes (1)

• Maintainability | .github/workflows/release.yml:81-83
  Silencing changeset status failures by writing an empty JSON can hide genuine errors and make gating decisions less transparent in logs. Emitting a warning when the fallback is triggered improves observability without breaking the tolerant behavior for PR merge refs.

Summary of changes

• Renamed workflow to “CI — test → gate → release” and broadened triggers to all branches, tags, and selected PR events.
• Added concurrency (cancel in progress) and default least-privilege permissions; jobs elevate as needed.
• Test job: installs pnpm via pnpm/action-setup@v4 using package_json_file, sets up Node with pnpm cache and lockfile path, runs install, format, and typecheck.
• New determine_release job: installs pnpm/Node 24.x, runs install, computes is_prerelease with a tolerant Changesets status fallback, and sets is_release based on branch.
• Release job: now gated to run only on push events and when release/prerelease flags are set; configures git author, installs pnpm via package_json_file, sets up node with registry-url and always-auth, sets auth token for setup and publish, installs, builds, publishes, and pushes tags without swallowing failures.
• Added a workspace devDependency to packages/eslint-config/package.json for @mikecbrant/prettier-config; lockfile updated accordingly.