fix(release): drop pnpm version pin from npm-publish.yml — packageManager wins

[IgorShevchik]

Second blocker on the v0.1.0 publish path. Tiny fix.

The failure

workflow_dispatch run on the v0.1.0 tag failed at the Install pnpm step:

Error: Multiple versions of pnpm specified:
  - version 10 in the GitHub Action config with the key "version"
  - version pnpm@10.10.0 in the package.json with the key "packageManager"
Remove one of these versions to avoid version mismatch errors like
ERR_PNPM_BAD_PM_VERSION

The explicit version: 10 on pnpm/action-setup@v4 was added in PR #18 on a senior-dev review nit ("make the pin consistent with packageManager"). On the action version current at runtime, two sources of truth is no longer accepted — the action wants one.

The fix

Drop version: 10 from the workflow. Let pnpm/action-setup@v4 read packageManager: pnpm@10.10.0 from package.json directly (more precise, already authoritative for corepack, local installs, and every other tool). Same shape used in ci.yml, which doesn't see this error.

       - name: 'Install pnpm'
+        # Version is read from `packageManager: pnpm@X.Y.Z` in package.json
+        # (the precise pinned version). Specifying `version:` here in
+        # addition triggers ERR_PNPM_BAD_PM_VERSION on newer action versions
+        # since both sources disagree about which is authoritative.
         uses: pnpm/action-setup@v4
-        with:
-          version: 10

Bonus confirmation: Node 24 opt-in is working

The same failed run logs:

Node.js 20 is deprecated. The following actions target Node.js 20 but are being forced to run on Node.js 24: actions/checkout@v4, pnpm/action-setup@v4.

That's exactly the intended behaviour of the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true flag added in PR #23. Notice this is an informational message, not an error — Node 24 enforcement is in place.

Post-merge plan

Re-trigger npm-publish.yml via workflow_dispatch on main. Expected progression:

1. Install pnpm — now picks up pnpm@10.10.0 from packageManager, single source of truth.
2. Install node — Node 22 with npm registry config.
3. Install dependencies — pnpm install --frozen-lockfile.
4. Upgrade npm CLI for OIDC trusted publishing — npm install -g 'npm@^11.5.1'.
5. Sanity check — tag matches package.json version — b24rabbitmq-v0.1.0 (the existing tag) → strip → 0.1.0 → matches package.json.
6. Lint / Typecheck / Test / Build / Docs (TypeDoc dry-run).
7. Publish 🚀 (OIDC trusted publishing) — exchanges OIDC token for one-shot npm credential → npm publish --provenance → @bitrix24/b24rabbitmq@0.1.0 lands on npm.

Gates

Gate	Result
pnpm lint	green
pnpm test	66/66

No src/ changes. Workflow-only.

---

Generated by Claude Code