fix pnpm-workspace.yaml

pnpm v9 requires the packages field in pnpm-workspace.yaml.
Without it, `pnpm --version` fails with "packages field missing or empty".

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/pr-check.yaml

@@ -0,0 +1,28 @@
+name: pr-check
+
+on: [ pull_request ]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+jobs:
+  check-dist:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          run_install: true
+          version: 9
+
+      - name: Update dist/index.js
+        run: pnpm run build
+
+      - name: Check for uncommitted changes in dist
+        run: git diff --exit-code dist/index.js

.github/workflows/test.yaml

@@ -15,28 +15,36 @@ jobs:
       fail-fast: false
       matrix:
         pnpm:
-          - 4.11.1
+          - 9.15.5
         os:
           - ubuntu-latest
           - macos-latest
           - windows-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Run the action
         uses: ./
         with:
-          version: 4.11.1
+          version: 9.15.5
 
       - name: 'Test: which'
         run: which pnpm; which pnpx
 
-      - name: 'Test: install'
-        run: pnpm install
+      - name: 'Test: version'
+        run: pnpm --version
 
-  test_explicit_inputs:
-    name: Test with explicit inputs
+      - name: 'Test: install in a fresh project'
+        run: |
+          mkdir /tmp/test-project
+          cd /tmp/test-project
+          pnpm init
+          pnpm add is-odd
+        shell: bash
+
+  test_dest:
+    name: Test with dest
 
     runs-on: ${{ matrix.os }}
 
@@ -44,26 +52,61 @@ jobs:
       fail-fast: false
       matrix:
         pnpm:
-          - 4.11.1
+          - 9.15.5
         os:
           - ubuntu-latest
           - macos-latest
           - windows-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Run the action
         uses: ./
         with:
-          version: 4.11.1
+          version: 9.15.5
           dest: ~/test/pnpm
 
       - name: 'Test: which'
         run: which pnpm && which pnpx
 
-      - name: 'Test: install'
-        run: pnpm install
+      - name: 'Test: version'
+        run: pnpm --version
+
+  test_standalone:
+    name: Test with standalone
+
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - windows-latest
+
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Run the action
+        uses: ./
+        with:
+          version: 9.15.0
+          standalone: true
+
+      - name: 'Test: which'
+        run: which pnpm
+
+      - name: 'Test: version'
+        run: pnpm --version
+
+      - name: 'Test: install in a fresh project'
+        run: |
+          mkdir /tmp/test-standalone
+          cd /tmp/test-standalone
+          pnpm init
+          pnpm add is-odd
+        shell: bash
 
   test_run_install:
     name: 'Test with run_install (${{ matrix.run_install.name }}, ${{ matrix.os }})'
@@ -74,7 +117,7 @@ jobs:
       fail-fast: false
       matrix:
         pnpm:
-          - 4.11.1
+          - 9.15.5
         os:
           - ubuntu-latest
           - macos-latest
@@ -82,11 +125,6 @@ jobs:
         run_install:
           - name: 'null'
             value: 'null'
-          - name: 'empty object'
-            value: '{}'
-          - name: 'recursive'
-            value: |
-              recursive: true
           - name: 'global'
             value: |
               args:
@@ -94,29 +132,18 @@ jobs:
                 - --global-dir=./pnpm-global
                 - npm
                 - yarn
-                - pnpm
-          - name: 'array'
-            value: |
-              - {}
-              - recursive: true
-              - args:
-                - --global
-                - --global-dir=./pnpm-global
-                - npm
-                - yarn
-                - pnpm
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Run the action
         uses: ./
         with:
-          version: 4.11.1
+          version: 9.15.5
           run_install: ${{ matrix.run_install.value }}
 
       - name: 'Test: which'
         run: which pnpm; which pnpx
 
-      - name: 'Test: install'
-        run: pnpm install
+      - name: 'Test: version'
+        run: pnpm --version

.gitignore

@@ -2,7 +2,6 @@ node_modules
 *.log
 /dist/*
 !/dist/index.js
-!/dist/pnpm.js
 tmp
 temp
 *.tmp

README.md

@@ -1,3 +1,7 @@
+> ## :warning: Upgrade from v2!
+>
+> The v2 version of this action [has stopped working](https://github.com/pnpm/action-setup/issues/135) with newer Node.js versions. Please, upgrade to the latest version to fix any issues.
+
 # Setup pnpm
 
 Install pnpm package manager.
@@ -36,11 +40,25 @@ If `run_install` is a YAML string representation of either an object or an array
 
 #### `run_install.args`
 
-**Optional** (_type:_ `string[]`) Additional arguments after `pnpm [recursive] install`, e.g. `[--frozen-lockfile, --strict-peer-dependencies]`.
+**Optional** (_type:_ `string[]`) Additional arguments after `pnpm [recursive] install`, e.g. `[--ignore-scripts, --strict-peer-dependencies]`.
+
+### `cache`
+
+**Optional** (_type:_ `boolean`, _default:_ `false`) Whether to cache the pnpm store directory.
+
+### `cache_dependency_path`
+
+**Optional** (_type:_ `string|string[]`, _default:_ `pnpm-lock.yaml`) File path to the pnpm lockfile, which contents hash will be used as a cache key.
 
 ### `package_json_file`
 
-**Optional** File path to the `package.json` to read "packageManager" configutation. If not specified, `package.json` in the project root directory is used.
+**Optional** (_type:_ `string`, _default:_ `package.json`) File path to the `package.json`/[`package.yaml`](https://github.com/pnpm/pnpm/pull/1799) to read "packageManager" configuration.
+
+### `standalone`
+
+**Optional** (_type:_ `boolean`, _default:_ `false`) When set to true, [@pnpm/exe](https://www.npmjs.com/package/@pnpm/exe), which is a Node.js bundled package, will be installed, enabling using `pnpm` without Node.js.
+
+This is useful when you want to use a incompatible pair of Node.js and pnpm.
 
 ## Outputs
 
@@ -54,7 +72,9 @@ Location of `pnpm` and `pnpx` command.
 
 ## Usage example
 
-### Just install pnpm
+### Install only pnpm without `packageManager`
+
+This works when the repo either doesn't have a `package.json` or has a `package.json` but it doesn't specify `packageManager`.
 
 ```yaml
 on:
@@ -66,9 +86,26 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4
         with:
-          version: 8
+          version: 10
+```
+
+###  Install only pnpm with `packageManager`
+
+Omit `version` input to use the version in the [`packageManager` field in the `package.json`](https://nodejs.org/api/corepack.html).
+
+```yaml
+on:
+  - push
+  - pull_request
+
+jobs:
+  install:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: pnpm/action-setup@v4
 ```
 
 ### Install pnpm and a few npm packages
@@ -83,14 +120,14 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4
         with:
-          version: 8
+          version: 10
           run_install: |
             - recursive: true
-              args: [--frozen-lockfile, --strict-peer-dependencies]
+              args: [--strict-peer-dependencies]
             - args: [--global, gulp, prettier, typescript]
 ```
 
@@ -107,31 +144,13 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - name: Install Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: 16
-
-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4
         name: Install pnpm
         with:
-          version: 7
-          run_install: false
-
-      - name: Get pnpm store directory
-        shell: bash
-        run: |
-          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-
-      - uses: actions/cache@v3
-        name: Setup pnpm cache
-        with:
-          path: ${{ env.STORE_PATH }}
-          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-store-
+          version: 10
+          cache: true
 
       - name: Install dependencies
         run: pnpm install
@@ -145,4 +164,4 @@ This action does not setup Node.js for you, use [actions/setup-node](https://git
 
 ## License
 
-[MIT](https://git.io/JfclH) © [Hoàng Văn Khải](https://github.com/KSXGitHub/)
+[MIT](https://github.com/pnpm/action-setup/blob/master/LICENSE.md) © [Hoàng Văn Khải](https://github.com/KSXGitHub/)

action.yml

@@ -15,11 +15,28 @@ inputs:
     description: If specified, run `pnpm install`
     required: false
     default: 'null'
+  cache:
+    description: Whether to cache the pnpm store directory
+    required: false
+    default: 'false'
+  cache_dependency_path:
+    description: File path to the pnpm lockfile, which contents hash will be used as a cache key
+    required: false
+    default: 'pnpm-lock.yaml'
   package_json_file:
-    description: File path to the package.json to read "packageManager" configutation
+    description: File path to the package.json to read "packageManager" configuration. This path must be relative to the repository root (GITHUB_WORKSPACE).
     required: false
     default: 'package.json'
+  standalone:
+    description: When set to true, @pnpm/exe, which is a Node.js bundled package, will be installed, enabling using pnpm without Node.js.
+    required: false
+    default: 'false'
+outputs:
+  dest:
+    description: Expanded path of inputs#dest
+  bin_dest:
+    description: Location of `pnpm` and `pnpx` command
 runs:
-  using: node16
+  using: node24
   main: dist/index.js
   post: dist/index.js

package.json

@@ -1,26 +1,23 @@
 {
   "private": true,
   "scripts": {
-    "build:schemas": "ts-schema-autogen generate",
-    "build:ncc": "ncc build --minify --no-source-map-register --no-cache dist/tsc/index.js --out dist/",
-    "build": "pnpm run build:schemas && tsc && pnpm run build:ncc && cp src/install-pnpm/pnpm.js dist/pnpm.js",
+    "build:bundle": "esbuild src/index.ts --bundle --platform=node --target=node24 --format=cjs --minify --outfile=dist/index.js --loader:.json=json",
+    "build": "pnpm run build:bundle",
     "start": "pnpm run build && sh ./run.sh"
   },
   "dependencies": {
-    "@actions/core": "^1.10.0",
-    "@types/expand-tilde": "^2.0.0",
-    "@types/fs-extra": "^9.0.13",
-    "@types/js-yaml": "^4.0.5",
-    "@types/node": "^14.18.32",
-    "@types/node-fetch": "^2.6.2",
-    "ajv": "^6.12.6",
+    "@actions/cache": "^4.1.0",
+    "@actions/core": "^1.10.1",
+    "@actions/exec": "^1.1.1",
+    "@actions/glob": "^0.5.0",
+    "@types/expand-tilde": "^2.0.2",
+    "@types/node": "^22.0.0",
     "expand-tilde": "^2.0.2",
-    "fs-extra": "^10.1.0",
-    "js-yaml": "^4.1.0"
+    "yaml": "^2.3.4",
+    "zod": "^3.22.4"
   },
   "devDependencies": {
-    "@ts-schema-autogen/cli": "^0.1.2",
-    "@vercel/ncc": "^0.33.4",
-    "typescript": "^4.8.4"
+    "esbuild": "^0.27.4",
+    "typescript": "^5.3.3"
   }
 }

pnpm-workspace.yaml

@@ -0,0 +1,4 @@
+packages:
+  - '.'
+allowBuilds:
+  esbuild: true

run.sh

@@ -4,4 +4,5 @@ export HOME="$(pwd)"
 export INPUT_VERSION=4.11.1
 export INPUT_DEST='~/pnpm.temp'
 export INPUT_RUN_INSTALL=null
+export INPUT_standalone=false
 exec node dist/index.js

src/cache-restore/index.ts

@@ -0,0 +1,19 @@
+import { isFeatureAvailable } from '@actions/cache'
+import { endGroup, startGroup, warning } from '@actions/core'
+import { Inputs } from '../inputs'
+import { runRestoreCache } from './run'
+
+export async function restoreCache(inputs: Inputs) {
+  if (!inputs.cache) return
+
+  if (!isFeatureAvailable()) {
+    warning('Cache is not available, skipping cache restoration')
+    return
+  }
+
+  startGroup('Restoring cache...')
+  await runRestoreCache(inputs)
+  endGroup()
+}
+
+export default restoreCache

src/cache-restore/run.ts

@@ -0,0 +1,39 @@
+import { restoreCache } from '@actions/cache'
+import { debug, info, saveState, setOutput } from '@actions/core'
+import { getExecOutput } from '@actions/exec'
+import { hashFiles } from '@actions/glob'
+import os from 'os'
+import { Inputs } from '../inputs'
+
+export async function runRestoreCache(inputs: Inputs) {
+  const cachePath = await getCacheDirectory()
+  saveState('cache_path', cachePath)
+
+  const fileHash = await hashFiles(inputs.cacheDependencyPath)
+  if (!fileHash) {
+    throw new Error('Some specified paths were not resolved, unable to cache dependencies.')
+  }
+
+  const primaryKey = `pnpm-cache-${process.env.RUNNER_OS}-${os.arch()}-${fileHash}`
+  debug(`Primary key is ${primaryKey}`)
+  saveState('cache_primary_key', primaryKey)
+
+  let cacheKey = await restoreCache([cachePath], primaryKey)
+
+  setOutput('cache-hit', Boolean(cacheKey))
+
+  if (!cacheKey) {
+    info(`Cache is not found`)
+    return
+  }
+
+  saveState('cache_restored_key', cacheKey)
+  info(`Cache restored from key: ${cacheKey}`)
+}
+
+async function getCacheDirectory() {
+  const { stdout } = await getExecOutput('pnpm store path --silent')
+  const cacheFolderPath = stdout.trim()
+  debug(`Cache folder is set to "${cacheFolderPath}"`)
+  return cacheFolderPath
+}

src/cache-save/index.ts

@@ -0,0 +1,15 @@
+import { setFailed } from '@actions/core'
+import { Inputs } from '../inputs'
+import { runSaveCache } from './run'
+
+export async function saveCache(inputs: Inputs) {
+  if (!inputs.cache) return
+
+  try {
+    await runSaveCache()
+  } catch (error) {
+    setFailed((error as Error).message)
+  }
+}
+
+export default saveCache

src/cache-save/run.ts

@@ -0,0 +1,18 @@
+import { saveCache } from '@actions/cache'
+import { getState, info } from '@actions/core'
+
+export async function runSaveCache() {
+  const state = getState('cache_restored_key')
+  const primaryKey = getState('cache_primary_key')
+  const cachePath = getState('cache_path')
+
+  if (primaryKey === state) {
+    info(`Cache hit occurred on the primary key ${primaryKey}, not saving cache.`)
+    return
+  }
+
+  const cacheId = await saveCache([cachePath], primaryKey)
+  if (cacheId == -1) return
+
+  info(`Cache saved with the key: ${primaryKey}`)
+}

src/index.ts

@@ -1,5 +1,7 @@
 import { setFailed, saveState, getState } from '@actions/core'
-import getInputs from './inputs'
+import restoreCache from './cache-restore'
+import saveCache from './cache-save'
+import getInputs, { Inputs } from './inputs'
 import installPnpm from './install-pnpm'
 import setOutputs from './outputs'
 import pnpmInstall from './pnpm-install'
@@ -7,15 +9,31 @@ import pruneStore from './pnpm-store-prune'
 
 async function main() {
   const inputs = getInputs()
-  const isPost = getState('is_post')
-  if (isPost === 'true') return pruneStore(inputs)
+
+  if (getState('is_post') === 'true') {
+    await runPost(inputs)
+  } else {
+    await runMain(inputs)
+  }
+}
+
+async function runMain(inputs: Inputs) {
   saveState('is_post', 'true')
+
   await installPnpm(inputs)
   console.log('Installation Completed!')
   setOutputs(inputs)
+
+  await restoreCache(inputs)
+
   pnpmInstall(inputs)
 }
 
+async function runPost(inputs: Inputs) {
+  pruneStore(inputs)
+  await saveCache(inputs)
+}
+
 main().catch(error => {
   console.error(error)
   setFailed(error)

src/inputs/index.ts

@@ -1,12 +1,15 @@
-import { getInput, InputOptions } from '@actions/core'
+import { getBooleanInput, getInput, InputOptions } from '@actions/core'
 import expandTilde from 'expand-tilde'
 import { RunInstall, parseRunInstall } from './run-install'
 
 export interface Inputs {
   readonly version?: string
   readonly dest: string
+  readonly cache: boolean
+  readonly cacheDependencyPath: string
   readonly runInstall: RunInstall[]
   readonly packageJsonFile: string
+  readonly standalone: boolean
 }
 
 const options: InputOptions = {
@@ -18,8 +21,11 @@ const parseInputPath = (name: string) => expandTilde(getInput(name, options))
 export const getInputs = (): Inputs => ({
   version: getInput('version'),
   dest: parseInputPath('dest'),
+  cache: getBooleanInput('cache'),
+  cacheDependencyPath: parseInputPath('cache_dependency_path'),
   runInstall: parseRunInstall('run_install'),
   packageJsonFile: parseInputPath('package_json_file'),
+  standalone: getBooleanInput('standalone'),
 })
 
 export default getInputs

src/inputs/run-install-input.schema.autogen.json

@@ -1,21 +0,0 @@
-{
-  "$schema": "https://raw.githubusercontent.com/ksxnodeapps/ts-schema-autogen/master/packages/schemas/config.schema.json",
-  "instruction": {
-    "compilerOptions": {
-      "strict": true,
-      "target": "ES2018",
-      "lib": [
-        "ES2018",
-        "ES2019",
-        "ES2020",
-        "ESNext"
-      ],
-      "moduleResolution": "Node",
-      "esModuleInterop": true,
-      "resolveJsonModule": true
-    },
-    "input": "run-install.ts",
-    "symbol": "RunInstallInput",
-    "output": "run-install-input.schema.json"
-  }
-}

src/inputs/run-install-input.schema.json

@@ -1,39 +0,0 @@
-{
-  "anyOf": [
-    {
-      "$ref": "#/definitions/RunInstall"
-    },
-    {
-      "type": "array",
-      "items": {
-        "$ref": "#/definitions/RunInstall"
-      }
-    },
-    {
-      "type": [
-        "null",
-        "boolean"
-      ]
-    }
-  ],
-  "definitions": {
-    "RunInstall": {
-      "type": "object",
-      "properties": {
-        "recursive": {
-          "type": "boolean"
-        },
-        "cwd": {
-          "type": "string"
-        },
-        "args": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
-        }
-      }
-    }
-  },
-  "$schema": "http://json-schema.org/draft-07/schema#"
-}

src/inputs/run-install.ts

@@ -1,39 +1,41 @@
-import { getInput, error, InputOptions } from '@actions/core'
-import Ajv from 'ajv'
-import { load } from 'js-yaml'
-import process from 'process'
-import runInstallSchema from './run-install-input.schema.json'
+import { getInput, error } from '@actions/core'
+import { parse as parseYaml } from 'yaml'
+import { z, ZodError } from 'zod'
 
-export interface RunInstall {
-  readonly recursive?: boolean
-  readonly cwd?: string
-  readonly args?: readonly string[]
-}
+const RunInstallSchema = z.object({
+  recursive: z.boolean().optional(),
+  cwd: z.string().optional(),
+  args: z.array(z.string()).optional(),
+})
 
-export type RunInstallInput =
-  | null
-  | boolean
-  | RunInstall
-  | RunInstall[]
+const RunInstallInputSchema = z.union([
+  z.null(),
+  z.boolean(),
+  RunInstallSchema,
+  z.array(RunInstallSchema),
+])
 
-const options: InputOptions = {
-  required: true,
-}
+export type RunInstallInput = z.infer<typeof RunInstallInputSchema>
+export type RunInstall = z.infer<typeof RunInstallSchema>
 
-export function parseRunInstall(name: string): RunInstall[] {
-  const result: RunInstallInput = load(getInput(name, options)) as any
-  const ajv = new Ajv({
-    allErrors: true,
-  })
-  const validate = ajv.compile(runInstallSchema)
-  if (!validate(result)) {
-    for (const errorItem of validate.errors!) {
-      error(`with.run_install${errorItem.dataPath}: ${errorItem.message}`)
+export function parseRunInstall(inputName: string): RunInstall[] {
+  const input = getInput(inputName, { required: true })
+  const parsedInput: unknown = parseYaml(input)
+
+  try {
+    const result: RunInstallInput = RunInstallInputSchema.parse(parsedInput)
+    if (!result) return []
+    if (result === true) return [{ recursive: true }]
+    if (Array.isArray(result)) return result
+    return [result]
+  } catch (exception: unknown) {
+    error(`Error for input "${inputName}" = ${input}`)
+
+    if (exception instanceof ZodError) {
+      error(`Errors: ${exception.errors}`)
+    } else {
+      error(`Exception: ${exception}`)
     }
-    return process.exit(1)
+    process.exit(1)
   }
-  if (!result) return []
-  if (result === true) return [{ recursive: true }]
-  if (Array.isArray(result)) return result
-  return [result]
 }

src/install-pnpm/bootstrap/exe-lock.json

@@ -0,0 +1,147 @@
+{
+  "name": "bootstrap-exe",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "dependencies": {
+        "@pnpm/exe": "10.32.1"
+      }
+    },
+    "node_modules/@pnpm/exe": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/exe/-/exe-10.32.1.tgz",
+      "integrity": "sha512-baEtwHeZwmZAdBuuDDL6tbdGg5KpxhPxr3QFfYTGXvY6ws+Z1bN0mQ7ZjcaXBSC1HuLpVXnZ6NsBiaZ2DMv4vg==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "bin": {
+        "pnpm": "pnpm"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      },
+      "optionalDependencies": {
+        "@pnpm/linux-arm64": "10.32.1",
+        "@pnpm/linux-x64": "10.32.1",
+        "@pnpm/macos-arm64": "10.32.1",
+        "@pnpm/macos-x64": "10.32.1",
+        "@pnpm/win-arm64": "10.32.1",
+        "@pnpm/win-x64": "10.32.1"
+      }
+    },
+    "node_modules/@pnpm/linux-arm64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-arm64/-/linux-arm64-10.32.1.tgz",
+      "integrity": "sha512-6uB0B+XvunQwHGzIMk2JCkl4Ur6BtM4XbJSwB/mgpWmXDoX/KTJmgx2lodcTjgJSGSySCHfIVuTR9sj/F2D4EA==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "bin": {
+        "pnpm": "pnpm"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/linux-x64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-x64/-/linux-x64-10.32.1.tgz",
+      "integrity": "sha512-AM2tv23Fg7h+nV+adqA/SkZKUysSIEetHfBwYFl8ArgdgkqbGoQy0rAOdKYQBb920CqfexXfI8OA8kPCzRxYng==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "bin": {
+        "pnpm": "pnpm"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/macos-arm64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-arm64/-/macos-arm64-10.32.1.tgz",
+      "integrity": "sha512-Zr4JkhRbtGVsYgbuGZO0dq/6FPOn072Pdo0ubmqWtc14cUATKgAJD7efG03yqr3MLgtwFHgdtUzZ1WsaYAtUTA==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "bin": {
+        "pnpm": "pnpm"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/macos-x64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-x64/-/macos-x64-10.32.1.tgz",
+      "integrity": "sha512-Yk6q3oFDu//OniXJxfTSHo+aew1LX81FcbzJAtEkcCeTQ0SLbQT6J3QiOMNikp8n8IjNhsy+bn2bdkUxaw+akA==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "bin": {
+        "pnpm": "pnpm"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/win-arm64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-arm64/-/win-arm64-10.32.1.tgz",
+      "integrity": "sha512-P8rsP5IUetpYjr2iwggoswL2qUukYrJoToXWuMyo8immn58CsYxaXsHVQ1Oq1R3XMfmGGWTXLsiJuQ7H991MRg==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "bin": {
+        "pnpm": "pnpm.exe"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/win-x64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-x64/-/win-x64-10.32.1.tgz",
+      "integrity": "sha512-i24GwbtBO8ojrhp8WWimX7NgZs0UKH1171oRt6qcRL+a+FxE0Eggv2y0KP7ZI7F3+LZMarwr3tnYsZryfciUOg==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "bin": {
+        "pnpm": "pnpm.exe"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    }
+  }
+}

src/install-pnpm/bootstrap/pnpm-lock.json

@@ -0,0 +1,28 @@
+{
+  "name": "bootstrap-pnpm",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "dependencies": {
+        "pnpm": "latest"
+      }
+    },
+    "node_modules/pnpm": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-10.32.1.tgz",
+      "integrity": "sha512-pwaTjw6JrBRWtlY+q07fHR+vM2jRGR/FxZeQ6W3JGORFarLmfWE94QQ9LoyB+HMD5rQNT/7KnfFe8a1Wc0jyvg==",
+      "license": "MIT",
+      "bin": {
+        "pnpm": "bin/pnpm.cjs",
+        "pnpx": "bin/pnpx.cjs"
+      },
+      "engines": {
+        "node": ">=18.12"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    }
+  }
+}

src/install-pnpm/run.ts

@@ -1,61 +1,133 @@
 import { addPath, exportVariable } from '@actions/core'
 import { spawn } from 'child_process'
-import { remove, ensureFile, writeFile, readFile } from 'fs-extra'
+import { rm, writeFile, mkdir, symlink } from 'fs/promises'
+import { readFileSync, existsSync } from 'fs'
 import path from 'path'
-import { execPath } from 'process'
+import util from 'util'
 import { Inputs } from '../inputs'
+import { parse as parseYaml } from 'yaml'
+import pnpmLock from './bootstrap/pnpm-lock.json'
+import exeLock from './bootstrap/exe-lock.json'
+
+const BOOTSTRAP_PNPM_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { pnpm: pnpmLock.packages['node_modules/pnpm'].version } })
+const BOOTSTRAP_EXE_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { '@pnpm/exe': exeLock.packages['node_modules/@pnpm/exe'].version } })
 
 export async function runSelfInstaller(inputs: Inputs): Promise<number> {
-  const { version, dest, packageJsonFile } = inputs
+  const { version, dest, packageJsonFile, standalone } = inputs
 
-  // prepare self install
-  await remove(dest)
-  const pkgJson = path.join(dest, 'package.json')
-  await ensureFile(pkgJson)
-  await writeFile(pkgJson, JSON.stringify({ private: true }))
+  // Install bootstrap pnpm via npm (integrity verified by committed lockfile)
+  await rm(dest, { recursive: true, force: true })
+  await mkdir(dest, { recursive: true })
 
-  // prepare target pnpm
-  const target = await readTarget(packageJsonFile, version)
-  const cp = spawn(execPath, [path.join(__dirname, 'pnpm.js'), 'install', target, '--no-lockfile'], {
-    cwd: dest,
-    stdio: ['pipe', 'inherit', 'inherit'],
-  })
+  const lockfile = standalone ? exeLock : pnpmLock
+  const packageJson = standalone ? BOOTSTRAP_EXE_PACKAGE_JSON : BOOTSTRAP_PNPM_PACKAGE_JSON
+  await writeFile(path.join(dest, 'package.json'), packageJson)
+  await writeFile(path.join(dest, 'package-lock.json'), JSON.stringify(lockfile))
 
-  const exitCode = await new Promise<number>((resolve, reject) => {
-    cp.on('error', reject)
-    cp.on('close', resolve)
-  })
-  if (exitCode === 0) {
-    const pnpmHome = path.join(dest, 'node_modules/.bin')
-    addPath(pnpmHome)
-    exportVariable('PNPM_HOME', pnpmHome)
+  const npmExitCode = await runCommand('npm', ['ci'], { cwd: dest })
+  if (npmExitCode !== 0) {
+    return npmExitCode
   }
-  return exitCode
+
+  const pnpmHome = path.join(dest, 'node_modules', '.bin')
+  addPath(pnpmHome)
+  addPath(path.join(pnpmHome, 'bin'))
+  exportVariable('PNPM_HOME', pnpmHome)
+
+  // Ensure pnpm bin link exists — npm ci sometimes doesn't create it
+  const pnpmBinLink = path.join(pnpmHome, 'pnpm')
+  if (!existsSync(pnpmBinLink)) {
+    await mkdir(pnpmHome, { recursive: true })
+    const target = standalone
+      ? path.join('..', '@pnpm', 'exe', 'pnpm')
+      : path.join('..', 'pnpm', 'bin', 'pnpm.cjs')
+    await symlink(target, pnpmBinLink)
+  }
+
+  const bootstrapPnpm = standalone
+    ? path.join(dest, 'node_modules', '@pnpm', 'exe', 'pnpm')
+    : path.join(dest, 'node_modules', 'pnpm', 'bin', 'pnpm.cjs')
+
+  // Determine the target version
+  const targetVersion = readTargetVersion({ version, packageJsonFile })
+
+  if (targetVersion) {
+    const cmd = standalone ? bootstrapPnpm : process.execPath
+    const args = standalone ? ['self-update', targetVersion] : [bootstrapPnpm, 'self-update', targetVersion]
+    const exitCode = await runCommand(cmd, args, { cwd: dest })
+    if (exitCode !== 0) {
+      return exitCode
+    }
+  }
+
+  return 0
 }
 
-async function readTarget(packageJsonFile: string, version?: string | undefined) {
-  if (version) return `pnpm@${version}`
-
+function readTargetVersion(opts: {
+  readonly version?: string | undefined
+  readonly packageJsonFile: string
+}): string | undefined {
+  const { version, packageJsonFile } = opts
   const { GITHUB_WORKSPACE } = process.env
+
+  let packageManager: unknown
+
+  if (GITHUB_WORKSPACE) {
+    try {
+      const content = readFileSync(path.join(GITHUB_WORKSPACE, packageJsonFile), 'utf8');
+      ({ packageManager } = packageJsonFile.endsWith(".yaml")
+        ? parseYaml(content, { merge: true })
+        : JSON.parse(content)
+      )
+    } catch (error: unknown) {
+      // Swallow error if package.json doesn't exist in root
+      if (!util.types.isNativeError(error) || !('code' in error) || error.code !== 'ENOENT') throw error
+    }
+  }
+
+  if (version) {
+    if (
+      typeof packageManager === 'string' &&
+      packageManager.startsWith('pnpm@') &&
+      packageManager.replace('pnpm@', '') !== version
+    ) {
+      throw new Error(`Multiple versions of pnpm specified:
+  - version ${version} in the GitHub Action config with the key "version"
+  - version ${packageManager} in the package.json with the key "packageManager"
+Remove one of these versions to avoid version mismatch errors like ERR_PNPM_BAD_PM_VERSION`)
+    }
+
+    return version
+  }
+
+  if (typeof packageManager === 'string' && packageManager.startsWith('pnpm@')) {
+    // pnpm will handle version management via packageManager field
+    return undefined
+  }
+
   if (!GITHUB_WORKSPACE) {
     throw new Error(`No workspace is found.
-If you're intended to let pnpm/action-setup read preferred pnpm version from the "packageManager" field in the package.json file,
+If you've intended to let pnpm/action-setup read preferred pnpm version from the "packageManager" field in the package.json file,
 please run the actions/checkout before pnpm/action-setup.
 Otherwise, please specify the pnpm version in the action configuration.`)
   }
 
-  const { packageManager } = JSON.parse(await readFile(path.join(GITHUB_WORKSPACE, packageJsonFile), 'utf8'))
-  if (typeof packageManager !== 'string') {
-    throw new Error(`No pnpm version is specified.
+  throw new Error(`No pnpm version is specified.
 Please specify it by one of the following ways:
   - in the GitHub Action config with the key "version"
   - in the package.json with the key "packageManager"`)
-  }
+}
 
-  if (!packageManager.startsWith('pnpm@')) {
-    throw new Error('Invalid packageManager field in package.json')
-  }
-  return packageManager
+function runCommand(cmd: string, args: string[], opts: { cwd: string }): Promise<number> {
+  return new Promise<number>((resolve, reject) => {
+    const cp = spawn(cmd, args, {
+      cwd: opts.cwd,
+      stdio: ['pipe', 'inherit', 'inherit'],
+      shell: process.platform === 'win32',
+    })
+    cp.on('error', reject)
+    cp.on('close', resolve)
+  })
 }
 
 export default runSelfInstaller

src/utils/index.ts

@@ -6,5 +6,5 @@ export const getBinDest = (inputs: Inputs): string => path.join(inputs.dest, 'no
 
 export const patchPnpmEnv = (inputs: Inputs): NodeJS.ProcessEnv => ({
   ...process.env,
-  PATH: getBinDest(inputs) + path.delimiter + process.env.PATH,
+  PATH: path.join(getBinDest(inputs), 'bin') + path.delimiter + getBinDest(inputs) + path.delimiter + process.env.PATH,
 })

tsconfig.json

@@ -1,30 +1,19 @@
-
 {
   "compilerOptions": {
-    "target": "ES2018",
-    "module": "CommonJS",
-    "moduleResolution": "Node",
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
     "resolveJsonModule": true,
     "lib": [
-      "ES2018",
-      "ES2019",
-      "ES2020",
-      "ESNext"
+      "ES2023"
     ],
-    "outDir": "./dist/tsc",
-    "preserveConstEnums": true,
-    "incremental": false,
-    "declaration": true,
-    "sourceMap": true,
-    "importHelpers": false,
+    "noEmit": true,
     "strict": true,
     "pretty": true,
     "noUnusedLocals": true,
     "noUnusedParameters": true,
     "noImplicitReturns": true,
     "noFallthroughCasesInSwitch": true,
-    "esModuleInterop": true,
-    "experimentalDecorators": true,
-    "emitDecoratorMetadata": true
+    "esModuleInterop": true
   }
 }