Skip to content

⬆️ update GitHub Actions#14

Open
renovate[bot] wants to merge 1 commit into
mainfrom
chore/renovate-github-actions
Open

⬆️ update GitHub Actions#14
renovate[bot] wants to merge 1 commit into
mainfrom
chore/renovate-github-actions

Conversation

@renovate

@renovate renovate Bot commented Feb 23, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change Age Confidence
Spillgebees/admin (changelog) action digest a71d815e75cced
pnpm (source) uses-with minor 10.30.010.34.4 age confidence
pnpm/action-setup (changelog) action digest 41ff726b906aff

Release Notes

pnpm/pnpm (pnpm)

v10.34.4

Compare Source

v10.34.3

Compare Source

v10.34.2

Compare Source

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

  • Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.34.0: pnpm 10.34

Compare Source

Minor Changes

  • Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

    pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

    The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

    --force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

Patch Changes

  • Pin unscoped per-registry settings (_authToken, _auth, username/_password, tokenHelper, inline cert/key) to the registry declared in the same config source at load time, so a later layer overriding registry= (workspace .npmrc, pnpm-workspace.yaml, CLI --registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.
  • Fixed minimumReleaseAge handling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-version time field) by default, which made the maturity check throw ERR_PNPM_MISSING_TIME whenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch when minimumReleaseAge is active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and lets ERR_PNPM_MISSING_TIME from the cache fast-path fall through to the network fetch even under strict mode.
  • Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.
  • Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.
  • Fixed --prefix=<dir> not being honored when locating the workspace root. The --prefix → dir rename was applied after workspace detection, so workspace settings declared in <dir>/pnpm-workspace.yaml were not loaded when pnpm was invoked from outside <dir> #​11535.
  • Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

  • Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

    A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

  • Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.33.3

Compare Source

v10.33.2

Compare Source

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes
  • When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.
Platinum Sponsors
Bit
Gold Sponsors
Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.33.0

Compare Source

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

  • Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.32.0: pnpm 10.32

Compare Source

Minor Changes

  • Added --all flag to pnpm approve-builds that approves all pending builds without interactive prompts #​10136.

Patch Changes

  • Reverted change related to setting explicitly the npm config file path, which caused regressions.
  • Reverted fix related to lockfile-include-tarball-url. Fixes #​10915.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.31.0

Compare Source

v10.30.3

Compare Source

v10.30.2

Compare Source

v10.30.1: pnpm 10.30.1

Compare Source

Patch Changes

  • Use the /-/npm/v1/security/audits/quick endpoint as the primary audit endpoint, falling back to /-/npm/v1/security/audits when it fails #​10649.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Workleap
Stackblitz Nx

Configuration

📅 Schedule: (in timezone Europe/Luxembourg)

  • Branch creation
    • "every weekday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the chore/renovate-github-actions branch from 2e4d319 to d8b64b7 Compare February 27, 2026 00:36
@renovate renovate Bot changed the title ⬆️ update pnpm to v10.30.1 ⬆️ update pnpm to v10.30.2 Feb 27, 2026
@renovate renovate Bot force-pushed the chore/renovate-github-actions branch from d8b64b7 to 0fccb7e Compare March 1, 2026 22:01
@renovate renovate Bot changed the title ⬆️ update pnpm to v10.30.2 ⬆️ update pnpm to v10.30.3 Mar 1, 2026
@renovate renovate Bot force-pushed the chore/renovate-github-actions branch from 0fccb7e to ff92cbb Compare March 11, 2026 03:06
@renovate renovate Bot changed the title ⬆️ update pnpm to v10.30.3 ⬆️ update pnpm to v10.31.0 Mar 11, 2026
@renovate renovate Bot force-pushed the chore/renovate-github-actions branch from ff92cbb to d5f510c Compare March 11, 2026 17:50
@renovate renovate Bot changed the title ⬆️ update pnpm to v10.31.0 ⬆️ update GitHub Actions Mar 11, 2026
@renovate renovate Bot force-pushed the chore/renovate-github-actions branch 3 times, most recently from 62f0be6 to daa8d6d Compare March 14, 2026 17:58
@renovate renovate Bot force-pushed the chore/renovate-github-actions branch 2 times, most recently from cd0d797 to 659b037 Compare March 27, 2026 17:22
@renovate renovate Bot force-pushed the chore/renovate-github-actions branch 2 times, most recently from 73aa15c to 3d41f72 Compare April 26, 2026 13:01
@renovate renovate Bot force-pushed the chore/renovate-github-actions branch 2 times, most recently from 894949e to 355e211 Compare May 9, 2026 13:32
@renovate renovate Bot force-pushed the chore/renovate-github-actions branch 2 times, most recently from 2976088 to 7c2167e Compare May 31, 2026 01:10
@renovate renovate Bot force-pushed the chore/renovate-github-actions branch from 7c2167e to e159998 Compare June 11, 2026 13:17
@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

CI workflows receive dependency updates: pnpm/action-setup is repinned with version 10.34.3, and the reusable zizmor workflow is repinned to a new commit hash.

Changes

CI and Workflow Dependencies

Layer / File(s) Summary
pnpm action-setup version bump
.github/workflows/ci.yml
The pnpm/action-setup action commit hash is updated and the version input is changed to 10.34.3 in the build-and-test job.
Zizmor workflow repin
.github/workflows/zizmor.yml
The reusable Spillgebees/admin/.github/workflows/zizmor.yml workflow is repinned to a new commit hash.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

  • Dependency Dashboard #3: Implements pnpm version upgrade from 10.30.0 to 10.34.3 and pnpm/action-setup revision update as listed in the Renovate Dependency Dashboard.
  • Dependency Dashboard Transmodel#23: Updates to .github/workflows/zizmor.yml pinning correspond to the Spillgebees/admin reusable workflow dependency tracked in the Renovate dashboard.

Possibly related PRs

  • Spillgebees/transmodel-validator#17: Updates the reusable workflow uses pinned commit hash in .github/workflows/zizmor.yml, directly related to this PR's zizmor workflow change.

Poem

🐰 A hop through workflows, pins held tight,
From ten-thirty to ten-thirty-four, such delight!
Zizmor hops forward, admin in tow,
CI runs swift, watch the pipelines flow! 🚀

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: updating GitHub Actions versions in CI workflows, which aligns with the PR objectives and all file changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/renovate-github-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 25-27: CI uses pnpm/action-setup@... with version 10.34.1 while
package.json pins pnpm@10.30.0 and Dockerfile uses corepack prepare
pnpm@10.28.2; pick a single canonical pnpm version and update the three places
to match (the pnpm/action-setup step version in .github/workflows/ci.yml, the
pnpm entry in package.json, and the corepack prepare pnpm@... invocation in
Dockerfile) so all environments use identical pnpm (e.g., set all to 10.34.1 or
to the package.json value) and commit the synchronized version strings.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c0bd824f-50df-4d6c-9723-8cf8fa972245

📥 Commits

Reviewing files that changed from the base of the PR and between 0dfe5b4 and e159998.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml

Comment thread .github/workflows/ci.yml Outdated
Comment on lines +25 to +27
- uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
with:
version: 10.30.0
version: 10.34.1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all explicit pnpm version pins across repo (read-only).
set -euo pipefail

echo "== packageManager pins =="
rg -n --glob 'package.json' '"packageManager"\s*:\s*"pnpm@[^"]+"'

echo
echo "== corepack prepare pnpm pins =="
rg -n 'corepack\s+prepare\s+pnpm@[^[:space:]]+\s+--activate'

echo
echo "== workflow pnpm/action-setup version pins =="
rg -n --glob '.github/workflows/*.yml' 'pnpm/action-setup@|^\s*version:\s*[0-9]+\.[0-9]+\.[0-9]+'

Repository: Spillgebees/transmodel-validator

Length of output: 556


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== workflow pnpm/action-setup pins (paths) =="
rg -n "pnpm/action-setup@" .github/workflows -S || true

echo
echo "== workflow step 'version:' values (CI) =="
rg -n "^\s*version:\s*[0-9]+\.[0-9]+\.[0-9]+" .github/workflows/ci.yml || true

echo
echo "== full relevant block around pnpm/action-setup in ci.yml =="
rg -n -C 6 "pnpm/action-setup@" .github/workflows/ci.yml || true

Repository: Spillgebees/transmodel-validator

Length of output: 784


Align pnpm version pins across CI, package.json, and Docker to avoid install drift.

CI pins pnpm to 10.34.1 in .github/workflows/ci.yml, but the repo pins pnpm@10.30.0 in package.json and pnpm@10.28.2 via corepack prepare in Dockerfile, creating cross-environment version mismatch and potential inconsistent installs/lockfile outcomes.

      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
        with:
          version: 10.34.1
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 25 - 27, CI uses pnpm/action-setup@...
with version 10.34.1 while package.json pins pnpm@10.30.0 and Dockerfile uses
corepack prepare pnpm@10.28.2; pick a single canonical pnpm version and update
the three places to match (the pnpm/action-setup step version in
.github/workflows/ci.yml, the pnpm entry in package.json, and the corepack
prepare pnpm@... invocation in Dockerfile) so all environments use identical
pnpm (e.g., set all to 10.34.1 or to the package.json value) and commit the
synchronized version strings.

@renovate renovate Bot force-pushed the chore/renovate-github-actions branch 3 times, most recently from 31a8fac to 7a29f22 Compare June 18, 2026 23:51
@renovate renovate Bot force-pushed the chore/renovate-github-actions branch from 7a29f22 to f2eae0c Compare June 22, 2026 01:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants