chore: rebuild bundle after reverting bootstrap pnpm to 11.0.4

The previous version of this test self-updated to pnpm 10.33.0 and expected
pnpm --version to fail under devEngines.onFail=error. But pnpm v10 only reads
the packageManager field, not devEngines, so the check never fired and the
test failed.

Switch the assertion to the contract the af8e203 scope fix actually enforces:
when an explicit version: is supplied, pnpm_config_pm_on_fail must not be
exported by the action. That's deterministic and pnpm-version-agnostic.

.github/workflows/test.yaml

@@ -1,39 +1,76 @@
 name: Test Action
 
 on:
-  - push
-  - pull_request
-  - workflow_dispatch
+  pull_request:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
 
 jobs:
-  test_default_inputs:
-    name: Test with default inputs
+  smoke:
+    # Cross-OS coverage. Exercises the bootstrap install + PATH on each platform,
+    # the version-respects-request regression (#225 / #230 — Windows PATH shadow),
+    # and the bin_dest output regression (#247). Multi-version coverage on Linux
+    # so we don't pay 3x for major-version differences.
+    name: 'Smoke (${{ matrix.name }})'
 
     runs-on: ${{ matrix.os }}
 
     strategy:
       fail-fast: false
       matrix:
-        pnpm:
-          - 9.15.5
-        os:
-          - ubuntu-latest
-          - macos-latest
-          - windows-latest
+        include:
+          - name: 'ubuntu / v9.15.5'
+            os: ubuntu-latest
+            version: '9.15.5'
+          - name: 'ubuntu / v10.33.0'
+            os: ubuntu-latest
+            version: '10.33.0'
+          - name: 'ubuntu / v9.15.5 / custom-dest'
+            os: ubuntu-latest
+            version: '9.15.5'
+            dest: '~/test/pnpm'
+          - name: 'macos / v9.15.5'
+            os: macos-latest
+            version: '9.15.5'
+          - name: 'windows / v9.15.5'
+            os: windows-latest
+            version: '9.15.5'
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
-      - name: Run the action
+      - id: pnpm
+        name: Run the action
         uses: ./
         with:
-          version: 9.15.5
+          version: ${{ matrix.version }}
+          dest: ${{ matrix.dest || '~/setup-pnpm' }}
 
-      - name: 'Test: which'
-        run: which pnpm; which pnpx
-
-      - name: 'Test: version'
-        run: pnpm --version
+      - name: 'Test: pnpm/pnpx on PATH report the requested version (incl. via bin_dest)'
+        # Pass paths via env, not template interpolation, so Windows
+        # backslashes in `bin_dest` aren't eaten by bash's escape handling.
+        env:
+          BIN_DEST: ${{ steps.pnpm.outputs.bin_dest }}
+          REQUIRED: ${{ matrix.version }}
+        run: |
+          set -e
+          which pnpm
+          which pnpx
+          actual="$(pnpm --version)"
+          echo "pnpm --version: ${actual}"
+          if [ "${actual}" != "${REQUIRED}" ]; then
+            echo "Expected pnpm version ${REQUIRED}, but got ${actual}"
+            exit 1
+          fi
+          bin_dest_version="$("$BIN_DEST/pnpm" --version)"
+          echo "bin_dest pnpm --version: ${bin_dest_version}"
+          if [ "${bin_dest_version}" != "${REQUIRED}" ]; then
+            echo "Expected ${REQUIRED} via bin_dest, but got ${bin_dest_version}"
+            exit 1
+          fi
+        shell: bash
 
       - name: 'Test: install in a fresh project'
         run: |
@@ -43,47 +80,95 @@ jobs:
           pnpm add is-odd
         shell: bash
 
-  test_dest:
-    name: Test with dest
+  manifest_pin:
+    # Folds the old test_package_manager_field, test_dev_engines, and
+    # test_dev_engines_on_fail_error jobs. The action's manifest handling is
+    # OS-independent, so ubuntu-only is sufficient.
+    name: 'Manifest pin: ${{ matrix.label }}'
 
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
 
     strategy:
       fail-fast: false
       matrix:
-        pnpm:
-          - 9.15.5
-        os:
-          - ubuntu-latest
-          - macos-latest
-          - windows-latest
+        include:
+          - label: 'packageManager pnpm@9.15.5 (#227)'
+            manifest: '{"packageManager":"pnpm@9.15.5"}'
+            version: '9.15.5'
+          - label: 'packageManager pnpm@10.33.0'
+            manifest: '{"packageManager":"pnpm@10.33.0"}'
+            version: '10.33.0'
+          - label: 'devEngines onFail=download, exact'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":"9.15.5","onFail":"download"}}}'
+            version: '9.15.5'
+          - label: 'devEngines onFail=download, range'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":">=9.15.0","onFail":"download"}}}'
+            version: '>=9.15.0'
+          - label: 'devEngines onFail=error, exact (#252)'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":"9.15.5","onFail":"error"}}}'
+            version: '9.15.5'
+          - label: 'devEngines onFail=error, range (#252)'
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":">=9.15.0","onFail":"error"}}}'
+            version: '>=9.15.0'
+          - label: 'explicit version: pnpm_config_pm_on_fail not exported'
+            # Regression guard for the af8e203 scope fix: when the user passes an
+            # explicit `version:` input, the action must NOT export
+            # pnpm_config_pm_on_fail=download, so the user's strict onFail policy
+            # is preserved. Asserted directly on the env var rather than pnpm
+            # runtime behavior — different pnpm majors read devEngines
+            # differently (v10 ignores it, v11+ honors it).
+            manifest: '{"devEngines":{"packageManager":{"name":"pnpm","version":"9.15.5","onFail":"error"}}}'
+            explicit_version: '10.33.0'
+            expect_pm_on_fail_unset: true
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
+      - name: Set up package.json
+        run: echo '${{ matrix.manifest }}' > package.json
+        shell: bash
+
       - name: Run the action
         uses: ./
         with:
-          version: 9.15.5
-          dest: ~/test/pnpm
+          version: ${{ matrix.explicit_version }}
 
-      - name: 'Test: which'
-        run: which pnpm && which pnpx
+      - name: 'Test: pnpm reports the pinned version'
+        if: ${{ !matrix.expect_pm_on_fail_unset }}
+        env:
+          REQUIRED: ${{ matrix.version }}
+        run: |
+          set -e
+          actual="$(pnpm --version)"
+          echo "pnpm version: ${actual}"
+          if [ "${REQUIRED}" = ">=9.15.0" ]; then
+            min="9.15.0"
+            if [ "$(printf '%s\n' "${min}" "${actual}" | sort -V | head -n1)" != "${min}" ]; then
+              echo "Expected pnpm version >= ${min}, but got ${actual}"
+              exit 1
+            fi
+          else
+            if [ "${actual}" != "${REQUIRED}" ]; then
+              echo "Expected pnpm version ${REQUIRED}, but got ${actual}"
+              exit 1
+            fi
+          fi
+        shell: bash
 
-      - name: 'Test: version'
-        run: pnpm --version
+      - name: 'Test: pnpm_config_pm_on_fail not exported (explicit version preserves strict policy)'
+        if: ${{ matrix.expect_pm_on_fail_unset }}
+        run: |
+          if [ -n "${pnpm_config_pm_on_fail:-}" ]; then
+            echo "Expected pnpm_config_pm_on_fail to be unset, but got: '${pnpm_config_pm_on_fail}'"
+            exit 1
+          fi
+          echo "pnpm_config_pm_on_fail is unset, as expected"
+        shell: bash
 
-  test_standalone:
-    name: Test with standalone
+  standalone:
+    name: Standalone mode
 
-    runs-on: ${{ matrix.os }}
-
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-          - ubuntu-latest
-          - windows-latest
+    runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
@@ -94,84 +179,29 @@ jobs:
           version: 9.15.0
           standalone: true
 
-      - name: 'Test: which'
-        run: which pnpm
-
-      - name: 'Test: version'
-        run: pnpm --version
-
-      - name: 'Test: install in a fresh project'
+      - name: 'Test: pnpm works'
         run: |
+          set -e
+          which pnpm
+          actual="$(pnpm --version)"
+          if [ "${actual}" != "9.15.0" ]; then
+            echo "Expected 9.15.0, got ${actual}"
+            exit 1
+          fi
           mkdir /tmp/test-standalone
           cd /tmp/test-standalone
           pnpm init
           pnpm add is-odd
         shell: bash
 
-  test_dev_engines:
-    name: Test with devEngines.packageManager
+  run_install:
+    name: 'run_install (${{ matrix.run_install.name }})'
 
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
 
     strategy:
       fail-fast: false
       matrix:
-        os:
-          - ubuntu-latest
-          - macos-latest
-          - windows-latest
-        version:
-          - '9.15.5'
-          - '>=9.15.0'
-
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-
-      - name: Set up package.json with devEngines.packageManager
-        run: echo '{"devEngines":{"packageManager":{"name":"pnpm","version":"${{ matrix.version }}","onFail":"download"}}}' > package.json
-        shell: bash
-
-      - name: Run the action
-        uses: ./
-
-      - name: 'Test: which'
-        run: which pnpm; which pnpx
-
-      - name: 'Test: version'
-        run: |
-          set -e
-          required='${{ matrix.version }}'
-          actual="$(pnpm --version)"
-          echo "pnpm version: ${actual}"
-
-          if [ "${required}" = ">=9.15.0" ]; then
-            min="9.15.0"
-            if [ "$(printf '%s\n' "${min}" "${actual}" | sort -V | head -n1)" != "${min}" ]; then
-              echo "Expected pnpm version >= ${min}, but got ${actual}"
-              exit 1
-            fi
-          else
-            if [ "${actual}" != "${required}" ]; then
-              echo "Expected pnpm version ${required}, but got ${actual}"
-              exit 1
-            fi
-          fi
-        shell: bash
-
-  test_run_install:
-    name: 'Test with run_install (${{ matrix.run_install.name }}, ${{ matrix.os }})'
-
-    runs-on: ${{ matrix.os }}
-
-    strategy:
-      fail-fast: false
-      matrix:
-        pnpm:
-          - 9.15.5
-        os:
-          - ubuntu-latest
-          - macos-latest
-          - windows-latest
         run_install:
           - name: 'null'
             value: 'null'
@@ -192,8 +222,14 @@ jobs:
           version: 9.15.5
           run_install: ${{ matrix.run_install.value }}
 
-      - name: 'Test: which'
-        run: which pnpm; which pnpx
-
-      - name: 'Test: version'
-        run: pnpm --version
+      - name: 'Test: pnpm works'
+        run: |
+          set -e
+          which pnpm
+          which pnpx
+          actual="$(pnpm --version)"
+          if [ "${actual}" != "9.15.5" ]; then
+            echo "Expected 9.15.5, got ${actual}"
+            exit 1
+          fi
+        shell: bash

.gitignore

@@ -9,3 +9,4 @@ temp
 tmp.*
 temp.*
 .pnpm-store
+.claude

README.md

@@ -14,7 +14,7 @@ Version of pnpm to install.
 
 **Optional** when there is a [`packageManager` field in the `package.json`](https://nodejs.org/api/corepack.html).
 
-otherwise, this field is **required** It supports npm versioning scheme, it could be an exact version (such as `6.24.1`), or a version range (such as `6`, `6.x.x`, `6.24.x`, `^6.24.1`, `*`, etc.), or `latest`.
+otherwise, this field is **required** It supports npm versioning scheme, it could be an exact version (such as `10.9.8`), or a version range (such as `10`, `10.x.x`, `10.9.x`, `^10.9.8`, `*`, etc.), or `latest`.
 
 ### `dest`
 
@@ -86,7 +86,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: pnpm/action-setup@v5
+      - uses: pnpm/action-setup@v6
         with:
           version: 10
 ```
@@ -105,7 +105,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: pnpm/action-setup@v5
+      - uses: pnpm/action-setup@v6
 ```
 
 ### Install pnpm and a few npm packages
@@ -120,9 +120,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
-      - uses: pnpm/action-setup@v5
+      - uses: pnpm/action-setup@v6
         with:
           version: 10
           run_install: |
@@ -144,9 +144,9 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
-      - uses: pnpm/action-setup@v5
+      - uses: pnpm/action-setup@v6
         name: Install pnpm
         with:
           version: 10

package.json

@@ -3,7 +3,8 @@
   "scripts": {
     "build:bundle": "esbuild src/index.ts --bundle --platform=node --target=node24 --format=cjs --minify --outfile=dist/index.js --loader:.json=json",
     "build": "pnpm run build:bundle",
-    "start": "pnpm run build && sh ./run.sh"
+    "start": "pnpm run build && sh ./run.sh",
+    "update-bootstrap": "node scripts/update-bootstrap.mjs"
   },
   "dependencies": {
     "@actions/cache": "^4.1.0",

scripts/update-bootstrap.mjs

@@ -0,0 +1,47 @@
+#!/usr/bin/env node
+
+// Usage: node scripts/update-bootstrap.mjs [version]
+// If version is omitted, fetches the latest next-11 tag from npm.
+// Regenerates the bootstrap lockfiles used by action-setup to install pnpm via npm.
+
+import { execSync } from 'child_process'
+import { mkdtempSync, rmSync, readFileSync, writeFileSync } from 'fs'
+import { join } from 'path'
+import { tmpdir } from 'os'
+
+const BOOTSTRAP_DIR = new URL('../src/install-pnpm/bootstrap/', import.meta.url).pathname
+
+const version = process.argv[2] || resolveLatestVersion()
+
+console.log(`Updating bootstrap lockfiles to pnpm@${version} ...`)
+
+generateLock('pnpm-lock.json', { pnpm: version }, 'bootstrap-pnpm')
+generateLock('exe-lock.json', { '@pnpm/exe': version }, 'bootstrap-exe')
+
+console.log('Done!')
+
+function resolveLatestVersion() {
+  const json = execSync('npm view @pnpm/exe dist-tags --json', { encoding: 'utf8' })
+  const tags = JSON.parse(json)
+  const version = tags['next-11'] || tags['latest']
+  if (!version) {
+    console.error('Could not determine latest pnpm version from npm dist-tags')
+    process.exit(1)
+  }
+  return version
+}
+
+function generateLock(filename, dependencies, name) {
+  const tmp = mkdtempSync(join(tmpdir(), 'pnpm-bootstrap-'))
+  try {
+    writeFileSync(join(tmp, 'package.json'), JSON.stringify({ private: true, dependencies }))
+    execSync('npm install --package-lock-only --ignore-scripts', { cwd: tmp, stdio: 'pipe' })
+    const lock = readFileSync(join(tmp, 'package-lock.json'), 'utf8')
+    const parsed = JSON.parse(lock)
+    parsed.name = name
+    writeFileSync(join(BOOTSTRAP_DIR, filename), JSON.stringify(parsed, null, 2) + '\n')
+    console.log(`  ${filename} -> ${Object.values(dependencies)[0]}@${version}`)
+  } finally {
+    rmSync(tmp, { recursive: true, force: true })
+  }
+}

src/index.ts

@@ -20,9 +20,10 @@ async function main() {
 async function runMain(inputs: Inputs) {
   saveState('is_post', 'true')
 
-  await installPnpm(inputs)
+  const binDest = await installPnpm(inputs)
+  if (binDest === undefined) return
   console.log('Installation Completed!')
-  setOutputs(inputs)
+  setOutputs(inputs, binDest)
 
   await restoreCache(inputs)
 

src/install-pnpm/bootstrap/exe-lock.json

@@ -5,17 +5,18 @@
   "packages": {
     "": {
       "dependencies": {
-        "@pnpm/exe": "11.0.0-beta.3"
+        "@pnpm/exe": "11.0.4"
       }
     },
     "node_modules/@pnpm/exe": {
-      "version": "11.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@pnpm/exe/-/exe-11.0.0-beta.3.tgz",
-      "integrity": "sha512-yWNlHHdYmvf4c0MCkCzAa4csJDPdA+7yJCbXBUDXMbUu/0Zv/AxtO77q24MwlnBUC0dWeA+0F/pPmdkR9aTV2A==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/exe/-/exe-11.0.4.tgz",
+      "integrity": "sha512-3OwYqbbj1KtuUqoMo5OEkY8nU/WutZ7L5ADFl0bbW9oyqU55U37aDqA3NJNSk28CyszNARfrjerAF2DW2TsV7w==",
       "hasInstallScript": true,
       "license": "MIT",
       "dependencies": {
-        "@reflink/reflink": "0.1.19"
+        "@reflink/reflink": "0.1.19",
+        "detect-libc": "^2.0.3"
       },
       "bin": {
         "pn": "pn",
@@ -27,18 +28,20 @@
         "url": "https://opencollective.com/pnpm"
       },
       "optionalDependencies": {
-        "@pnpm/linux-arm64": "11.0.0-beta.3",
-        "@pnpm/linux-x64": "11.0.0-beta.3",
-        "@pnpm/macos-arm64": "11.0.0-beta.3",
-        "@pnpm/macos-x64": "11.0.0-beta.3",
-        "@pnpm/win-arm64": "11.0.0-beta.3",
-        "@pnpm/win-x64": "11.0.0-beta.3"
+        "@pnpm/linux-arm64": "11.0.4",
+        "@pnpm/linux-x64": "11.0.4",
+        "@pnpm/linuxstatic-arm64": "11.0.4",
+        "@pnpm/linuxstatic-x64": "11.0.4",
+        "@pnpm/macos-arm64": "11.0.4",
+        "@pnpm/macos-x64": "11.0.4",
+        "@pnpm/win-arm64": "11.0.4",
+        "@pnpm/win-x64": "11.0.4"
       }
     },
     "node_modules/@pnpm/linux-arm64": {
-      "version": "11.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@pnpm/linux-arm64/-/linux-arm64-11.0.0-beta.3.tgz",
-      "integrity": "sha512-TF2fyuCY9GggR4kfhjo1hMmgn+rIohenwNoH0tLPM7JlBK7/UAIFt1LI+o999tRwTCEw7gnxHFwtI2vyQuDfNw==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-arm64/-/linux-arm64-11.0.4.tgz",
+      "integrity": "sha512-Bz7V2sFypoGHX/t5w/w7jnCw5DCK3C8s5q8whHJJ3iS5kRznX3Q1F4LwSjjy+lsi777fHyNIvD7qtNmdt9IKoA==",
       "cpu": [
         "arm64"
       ],
@@ -52,9 +55,9 @@
       }
     },
     "node_modules/@pnpm/linux-x64": {
-      "version": "11.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@pnpm/linux-x64/-/linux-x64-11.0.0-beta.3.tgz",
-      "integrity": "sha512-7GrLsnSuDH62y486GUTwJdohGIC1ugz9ZJkbKOHgxIAkNGcSTJ1IkkdARtv7/WMmOEwwESDmtpOQ6LmjnpDMSA==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-x64/-/linux-x64-11.0.4.tgz",
+      "integrity": "sha512-u0Yn1gytR1vKdPk6fYF500H8ZWQlj0cTuIQPp+5GYVPkMmA5bSw41RNIDPBfjDlE8ERmQWaQcrgmTcmTZ+n22A==",
       "cpu": [
         "x64"
       ],
@@ -67,10 +70,48 @@
         "url": "https://opencollective.com/pnpm"
       }
     },
+    "node_modules/@pnpm/linuxstatic-arm64": {
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-arm64/-/linuxstatic-arm64-11.0.4.tgz",
+      "integrity": "sha512-0aitEcfhWNXNZhfJGt/kJaRvfcdtJzXZpV+toJN94kfawSJnhuawfnUSXMi/3m0G97HkJc7BH8rOz3sojUKt0g==",
+      "cpu": [
+        "arm64"
+      ],
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/linuxstatic-x64": {
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/linuxstatic-x64/-/linuxstatic-x64-11.0.4.tgz",
+      "integrity": "sha512-xDJdeJ7D2YvDBy2/IH9lEqMKiSuZiV8190XKWOgQgxUGGeuW4z3j6Ewpl0S5bXsWuNjAgC+uCKp7Qp3P7cXAvw==",
+      "cpu": [
+        "x64"
+      ],
+      "libc": [
+        "musl"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
     "node_modules/@pnpm/macos-arm64": {
-      "version": "11.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@pnpm/macos-arm64/-/macos-arm64-11.0.0-beta.3.tgz",
-      "integrity": "sha512-NQKgI1DURrEiOUzpxL0Mc+yn7DV4tpShqGnjaJLbz8ZCXsX/qhmybebvCG3r+IfSk3P5KID66lcgC/Osiaz0Dg==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-arm64/-/macos-arm64-11.0.4.tgz",
+      "integrity": "sha512-dNR69jUARtGFuyyLE9VuyxhRUKC8MO/7/xIyAdeIMZAD5ej0Y/Ct0DYCa/FLbgFL1nXaXmp4+gRMfJBkkrKfQQ==",
       "cpu": [
         "arm64"
       ],
@@ -84,9 +125,9 @@
       }
     },
     "node_modules/@pnpm/macos-x64": {
-      "version": "11.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@pnpm/macos-x64/-/macos-x64-11.0.0-beta.3.tgz",
-      "integrity": "sha512-Ky22KFYHXx8+8WU4KJT9NXVgzFioL2w9pHTQjsqTK70AbxiErscPYhrFIehlCNbXjgs+tGVIy13QNKkiwvmS8w==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-x64/-/macos-x64-11.0.4.tgz",
+      "integrity": "sha512-RfyrxSBajeEU16dZsgFjbdagDV9F4HNCJfbBgm8IbGjL0+J95naM/VmCDLd6S3+1tISeI2MxtcyCxqjKJsD/BA==",
       "cpu": [
         "x64"
       ],
@@ -100,9 +141,9 @@
       }
     },
     "node_modules/@pnpm/win-arm64": {
-      "version": "11.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@pnpm/win-arm64/-/win-arm64-11.0.0-beta.3.tgz",
-      "integrity": "sha512-7L8TFNDm25m+XYSyhcola3YFd/li6BZzzl56SsyGnZabsvUslMwnDiJad48wOz8IuN7zsrTSGh+X/x6F+GdrFQ==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-arm64/-/win-arm64-11.0.4.tgz",
+      "integrity": "sha512-fOQEv8b9KxZlUAxPPXSQQUUIrt2nY24Qwd4RzCPpatacBnsE4JIadlr/B4V5z2zFxmV7FdHr7nYUhv2RqTlY/w==",
       "cpu": [
         "arm64"
       ],
@@ -116,9 +157,9 @@
       }
     },
     "node_modules/@pnpm/win-x64": {
-      "version": "11.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/@pnpm/win-x64/-/win-x64-11.0.0-beta.3.tgz",
-      "integrity": "sha512-Z/6OpMUaIpggXjCtWEhp6kWjiT/2EImhkJAu8AodOORqeNcWouGEq3sO4XU0em6d+pAHmdV0hWMQ2xCUmPVuiA==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-x64/-/win-x64-11.0.4.tgz",
+      "integrity": "sha512-pErHAV8m3NZuPSeCmH3senTSHX0nwkH5lLzQSpiFuyt08hq8sqL3jDymT4ri9N7ixPN9RFZghZIiT3h+Croaew==",
       "cpu": [
         "x64"
       ],
@@ -189,6 +230,9 @@
       "cpu": [
         "arm64"
       ],
+      "libc": [
+        "glibc"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -205,6 +249,9 @@
       "cpu": [
         "arm64"
       ],
+      "libc": [
+        "musl"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -221,6 +268,9 @@
       "cpu": [
         "x64"
       ],
+      "libc": [
+        "glibc"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -237,6 +287,9 @@
       "cpu": [
         "x64"
       ],
+      "libc": [
+        "musl"
+      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -277,6 +330,15 @@
       "engines": {
         "node": ">= 10"
       }
+    },
+    "node_modules/detect-libc": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
+      "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==",
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=8"
+      }
     }
   }
 }

src/install-pnpm/bootstrap/pnpm-lock.json

@@ -5,13 +5,13 @@
   "packages": {
     "": {
       "dependencies": {
-        "pnpm": "11.0.0-beta.3"
+        "pnpm": "11.0.4"
       }
     },
     "node_modules/pnpm": {
-      "version": "11.0.0-beta.3",
-      "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-11.0.0-beta.3.tgz",
-      "integrity": "sha512-6PrfRjycZV4vRX6ttG9oR6pOgbI2/OcF2QLOzHm35UcRuvtqP4zf3wQfAAPwEbeu1uAbpSg/Q5cL8h32tumy6Q==",
+      "version": "11.0.4",
+      "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-11.0.4.tgz",
+      "integrity": "sha512-CjlxZQB6AU7VKRmmHl9GxIubyohATDA+yuzGP2Le9WOJjTxril1epYEes5jP4DqwXaGlzpY/Em1erUwC+TuDww==",
       "license": "MIT",
       "bin": {
         "pn": "bin/pnpm.mjs",

src/install-pnpm/index.ts

@@ -4,13 +4,15 @@ import runSelfInstaller from './run'
 
 export { runSelfInstaller }
 
-export async function install(inputs: Inputs) {
+export async function install(inputs: Inputs): Promise<string | undefined> {
   startGroup('Running self-installer...')
-  const status = await runSelfInstaller(inputs)
+  const { exitCode, binDest } = await runSelfInstaller(inputs)
   endGroup()
-  if (status) {
-    return setFailed(`Something went wrong, self-installer exits with code ${status}`)
+  if (exitCode) {
+    setFailed(`Something went wrong, self-installer exits with code ${exitCode}`)
+    return undefined
   }
+  return binDest
 }
 
 export default install

src/install-pnpm/run.ts

@@ -12,7 +12,12 @@ import exeLock from './bootstrap/exe-lock.json'
 const BOOTSTRAP_PNPM_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { pnpm: pnpmLock.packages['node_modules/pnpm'].version } })
 const BOOTSTRAP_EXE_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { '@pnpm/exe': exeLock.packages['node_modules/@pnpm/exe'].version } })
 
-export async function runSelfInstaller(inputs: Inputs): Promise<number> {
+export interface SelfInstallerResult {
+  exitCode: number
+  binDest: string
+}
+
+export async function runSelfInstaller(inputs: Inputs): Promise<SelfInstallerResult> {
   const { version, dest, packageJsonFile } = inputs
 
   // pnpm v11 requires Node >= 22.13; use standalone (exe) bootstrap which
@@ -29,28 +34,54 @@ export async function runSelfInstaller(inputs: Inputs): Promise<number> {
   await writeFile(path.join(dest, 'package.json'), packageJson)
   await writeFile(path.join(dest, 'package-lock.json'), JSON.stringify(lockfile))
 
-  const npmExitCode = await runCommand('npm', ['ci'], { cwd: dest })
+  // Append the action's node directory to PATH so npm's
+  // `#!/usr/bin/env node` shebang resolves on runners (e.g. GHE
+  // self-hosted) where node isn't already on PATH. Append (not
+  // prepend) so a user-installed toolchain on PATH — e.g. from a
+  // prior `setup-node` step — keeps precedence; otherwise the
+  // runner-bundled node would shadow it and pair the user's npm
+  // with a mismatched node version. npm itself is resolved via
+  // PATH — on the GitHub Actions runner it is not co-located with
+  // `process.execPath`.
+  const nodeDir = path.dirname(process.execPath)
+  // On Windows, the PATH key casing varies; search case-insensitively.
+  const pathKey = Object.keys(process.env).find(k => k.toUpperCase() === 'PATH') ?? 'PATH'
+  const currentPath = process.env[pathKey]
+  const npmEnv = { ...process.env, [pathKey]: currentPath ? currentPath + path.delimiter + nodeDir : nodeDir }
+  const npmExitCode = await runCommand('npm', ['ci'], { cwd: dest, env: npmEnv })
   if (npmExitCode !== 0) {
-    return npmExitCode
+    return { exitCode: npmExitCode, binDest: path.join(dest, 'node_modules', '.bin') }
   }
 
-  const pnpmHome = path.join(dest, 'node_modules', '.bin')
+  // On Windows with standalone mode, npm's .bin shims can't properly
+  // execute the extensionless @pnpm/exe native binaries. Add the
+  // @pnpm/exe directory directly to PATH so pnpm.exe is found natively.
+  const pnpmHome = standalone && process.platform === 'win32'
+    ? path.join(dest, 'node_modules', '@pnpm', 'exe')
+    : path.join(dest, 'node_modules', '.bin')
+  // PNPM_HOME/bin is where `pnpm self-update` places the target version
+  // binary. It must have higher PATH precedence than pnpmHome (which
+  // contains the bootstrap binary) so the self-updated version is found
+  // first. The bootstrap pnpm is invoked via absolute path, not PATH,
+  // so this ordering does not affect the bootstrap step.
   addPath(pnpmHome)
   addPath(path.join(pnpmHome, 'bin'))
   exportVariable('PNPM_HOME', pnpmHome)
 
   // Ensure pnpm bin link exists — npm ci sometimes doesn't create it
-  const pnpmBinLink = path.join(pnpmHome, 'pnpm')
-  if (!existsSync(pnpmBinLink)) {
-    await mkdir(pnpmHome, { recursive: true })
-    const target = standalone
-      ? path.join('..', '@pnpm', 'exe', 'pnpm')
-      : path.join('..', 'pnpm', 'bin', 'pnpm.mjs')
-    await symlink(target, pnpmBinLink)
+  if (process.platform !== 'win32') {
+    const pnpmBinLink = path.join(dest, 'node_modules', '.bin', 'pnpm')
+    if (!existsSync(pnpmBinLink)) {
+      await mkdir(path.join(dest, 'node_modules', '.bin'), { recursive: true })
+      const target = standalone
+        ? path.join('..', '@pnpm', 'exe', 'pnpm')
+        : path.join('..', 'pnpm', 'bin', 'pnpm.mjs')
+      await symlink(target, pnpmBinLink)
+    }
   }
 
   const bootstrapPnpm = standalone
-    ? path.join(dest, 'node_modules', '@pnpm', 'exe', 'pnpm')
+    ? path.join(dest, 'node_modules', '@pnpm', 'exe', process.platform === 'win32' ? 'pnpm.exe' : 'pnpm')
     : path.join(dest, 'node_modules', 'pnpm', 'bin', 'pnpm.mjs')
 
   // Determine the target version
@@ -61,11 +92,23 @@ export async function runSelfInstaller(inputs: Inputs): Promise<number> {
     const args = standalone ? ['self-update', targetVersion] : [bootstrapPnpm, 'self-update', targetVersion]
     const exitCode = await runCommand(cmd, args, { cwd: dest })
     if (exitCode !== 0) {
-      return exitCode
+      return { exitCode, binDest: pnpmHome }
     }
+    // self-update writes the target pnpm/pnpx into PNPM_HOME/bin, leaving
+    // the bootstrap symlinks in pnpmHome pointing at the old version. Use
+    // PNPM_HOME/bin so consumers of the bin_dest output (e.g.
+    // `${steps.pnpm.outputs.bin_dest}/pnpm`) invoke the requested version.
+    return { exitCode: 0, binDest: path.join(pnpmHome, 'bin') }
   }
 
-  return 0
+  // No explicit target version: rely on the bootstrap pnpm to switch to
+  // the version declared in packageManager/devEngines at runtime. Force
+  // `pmOnFail=download` so a project that pins
+  // `devEngines.packageManager.onFail = "error"` doesn't trip BAD_PM_VERSION
+  // before the switch can happen (issue #252). Scoped to this branch so users
+  // who pass an explicit `version:` input keep strict onFail behavior.
+  exportVariable('pnpm_config_pm_on_fail', 'download')
+  return { exitCode: 0, binDest: pnpmHome }
 }
 
 function readTargetVersion(opts: {
@@ -143,10 +186,11 @@ function getSystemNodeVersion(): Promise<{ major: number; minor: number }> {
   })
 }
 
-function runCommand(cmd: string, args: string[], opts: { cwd: string }): Promise<number> {
+function runCommand(cmd: string, args: string[], opts: { cwd: string; env?: Record<string, string | undefined> }): Promise<number> {
   return new Promise<number>((resolve, reject) => {
     const cp = spawn(cmd, args, {
       cwd: opts.cwd,
+      env: opts.env,
       stdio: ['pipe', 'inherit', 'inherit'],
       shell: process.platform === 'win32',
     })

src/outputs/index.ts

@@ -1,10 +1,9 @@
-import { setOutput, addPath } from '@actions/core'
+import { setOutput } from '@actions/core'
 import { Inputs } from '../inputs'
-import { getBinDest } from '../utils'
 
-export function setOutputs(inputs: Inputs) {
-  const binDest = getBinDest(inputs)
-  addPath(binDest)
+export function setOutputs(inputs: Inputs, binDest: string) {
+  // NOTE: addPath is already called in installPnpm — do not call it again
+  // here, as a second addPath would shadow the correct entry on Windows.
   setOutput('dest', inputs.dest)
   setOutput('bin_dest', binDest)
 }