ci: replace pnpm/action-setup with corepack (allowlist compliance)#18
Conversation
The org policy on ANcpLua/Paperless only permits actions from ANcpLua-owned repos, GitHub-owned repos, or Marketplace-verified publishers. `pnpm/action-setup@v4` falls outside that allowlist and broke the post-merge CI run on main. Corepack ships with Node and provides the same shim without an external action. Pinned to pnpm@10.30.2 to match PaperlessUI.Angular/package.json's `packageManager` field and the prior workflow's `version: 10` (which floated to latest 10.x). Corepack steps run BEFORE `actions/setup-node@v4` so pnpm is on PATH when setup-node executes its `cache: pnpm` logic. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📜 Recent review details⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
🧰 Additional context used📓 Path-based instructions (1).github/workflows/*.yml📄 CodeRabbit inference engine (CLAUDE.md)
Files:
🔇 Additional comments (1)
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe CI workflow is updated to activate pnpm via Corepack at a pinned version (10.30.2) in both the Angular and React frontend build jobs, replacing the pnpm/action-setup@v4 action approach. ChangesFrontend pnpm activation via Corepack
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes 🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Comment |
There was a problem hiding this comment.
Pull request overview
Replaces the disallowed pnpm/action-setup@v4 action with corepack commands in both frontend CI jobs to satisfy the repository's action allowlist policy. Pins pnpm to 10.30.2 to match the Angular project's packageManager field, and runs the corepack activation before actions/setup-node@v4 so its cache: pnpm logic can locate pnpm on PATH.
Changes:
- Replace
pnpm/action-setup@v4withcorepack enable && corepack prepare pnpm@10.30.2 --activatein thefrontend-angularjob. - Apply the same replacement in the
frontend-reactjob.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
While this PR correctly implements the requirement to replace pnpm/action-setup with Corepack for security compliance, it introduces a critical regression. The pnpm version 10.30.2 specified in the corepack prepare commands is non-existent (pnpm 10 currently has versions up to 10.4.x).
This discrepancy between the intended pinning and available versions will cause the CI pipeline to fail immediately during the preparation step. Although the workflow logic and ordering meet the acceptance criteria, the invalid version string must be corrected to pnpm@10 or a valid semantic version before merging.
About this PR
- The PR attempts to pin pnpm to version 10.30.2, but this version does not exist. This will lead to a 'version not found' error across all CI jobs. Please verify the intended version or use the major version tag (e.g., pnpm@10).
Test suggestions
- The
frontend-angularjob activates pnpm 10.30.2 using corepack before the setup-node step - The
frontend-reactjob activates pnpm 10.30.2 using corepack before the setup-node step - Verify that
actions/setup-node@v4retains itscache: pnpmandcache-dependency-pathsettings
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
| - name: Activate pnpm via corepack | ||
| run: | | ||
| corepack enable | ||
| corepack prepare pnpm@10.30.2 --activate |
There was a problem hiding this comment.
🔴 HIGH RISK
The version 10.30.2 is invalid and will cause the frontend-react job to fail. Use pnpm@10 to ensure the workflow uses a valid version from the v10 major release.
| corepack prepare pnpm@10.30.2 --activate | |
| corepack prepare pnpm@10 --activate |
| - name: Activate pnpm via corepack | ||
| run: | | ||
| corepack enable | ||
| corepack prepare pnpm@10.30.2 --activate |
There was a problem hiding this comment.
🔴 HIGH RISK
The version 10.30.2 is not a valid pnpm release. As of the current release cycle, pnpm 10 has not reached a '30.x' minor version. Attempting to prepare a non-existent version will cause the workflow to fail.
| corepack prepare pnpm@10.30.2 --activate | |
| corepack prepare pnpm@10 --activate |
Summary
The post-merge CI run on
main(after #16) failed with:This PR replaces both
pnpm/action-setup@v4blocks in.github/workflows/ci.yml(frontend-angular,frontend-react) withcorepack, which ships with Node — no external action required.pnpm@10.30.2to matchPaperlessUI.Angular/package.jsonpackageManagerand the prior workflow'sversion: 10(which floated to latest 10.x).actions/setup-node@v4so pnpm is on PATH when setup-node executes itscache: pnpmlogic.cache: pnpm+cache-dependency-pathretained unchanged on both jobs.actionlintclean.Allowlist audit of remaining
uses:(this workflow only)actions/checkout@v4actions/setup-dotnet@v4actions/cache@v4actions/upload-artifact@v4actions/setup-node@v4codecov/codecov-action@v5pnpm/action-setup, so already on the allowlist)No other disallowed actions noticed in
ci.yml. Scope kept tight per request — no other workflow files were touched.Test plan
Build & Test (backend)greenBuild (PaperlessUI.Angular)runscorepack enable && corepack prepare pnpm@10.30.2 --activate, thensetup-node@v4withcache: pnpmresolves the pnpm store path, thenpnpm install+pnpm run buildsucceedBuild (PaperlessUI.React)same as above for the React projectmainno longer fails the allowlist check🤖 Generated with Claude Code