pnpm-upgrade

pnpm Upgrade

Use these steps to update pnpm and CI pins without blunt search/replace.

Steps (run from repo root)

Update pnpm locally

Try pnpm self-update ; if pnpm is missing or self-update fails, run corepack prepare pnpm@latest --activate .
Capture the resulting version as PNPM_VERSION=$(pnpm -v) .

Align package.json

Open package.json and set packageManager to pnpm@${PNPM_VERSION} (preserve trailing newline and formatting).

Find latest pnpm/action-setup tag

Query GitHub API: curl -fsSL https://api.github.com/repos/pnpm/action-setup/releases/latest | jq -r .tag_name .
Use GITHUB_TOKEN /GH_TOKEN if available for higher rate limits.
Store as ACTION_TAG (e.g., v4.2.0 ). Abort if missing.

Resolve the action tag to an immutable commit SHA

Run git ls-remote https://github.com/pnpm/action-setup "refs/tags/${ACTION_TAG}^{}" and capture the SHA as ACTION_SHA .
If the dereferenced tag is missing, fall back to git ls-remote https://github.com/pnpm/action-setup "refs/tags/${ACTION_TAG}" .
Abort if ACTION_SHA is empty.

Update workflows carefully (no broad regex)

Files: everything under .github/workflows/ that uses pnpm/action-setup .
For each file, edit by hand:
Set uses: pnpm/action-setup@${ACTION_SHA} .
If a with: version: field exists, set it to ${PNPM_VERSION} (keep quoting style/indent).
Do not touch unrelated steps. Avoid multiline sed/perl one-liners.

Verify

Follow-up

If runtime code/build/test config was changed (not typical here), run $code-change-verification ; otherwise, a light check is enough.
Commit with chore: upgrade pnpm toolchain and open a PR (automation may do this).

Notes

Tools needed: curl , jq , node , pnpm /corepack . Install if missing.
Keep edits minimal and readable—prefer explicit file edits over global replacements.
GitHub Actions must stay pinned to commit SHAs, not tags. Use the latest release tag only to discover the commit SHA to pin.
If GitHub API is rate-limited, retry with a token or bail out rather than guessing the tag.

Source Transparency