Skip to content

fix(release): keep pnpm-lock.yaml in sync through the changeset version bump#61

Merged
aabrius merged 1 commit into
masterfrom
fix/release-flow-lockfile-sync
Jun 6, 2026
Merged

fix(release): keep pnpm-lock.yaml in sync through the changeset version bump#61
aabrius merged 1 commit into
masterfrom
fix/release-flow-lockfile-sync

Conversation

@aabrius

@aabrius aabrius commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

Problem

Every release stalled on pnpm install --frozen-lockfile in release.yml. The changesets "Version Packages" PR bumps the internal dep create-bhono → @etus/bhono to a version that isn't published yet, but the action never updates pnpm-lock.yaml. So the lockfile says ^0.2.0 while the manifest says ^0.3.0ERR_PNPM_OUTDATED_LOCKFILE, and pnpm can't resolve the bumped version from the registry → ERR_PNPM_NO_MATCHING_VERSION. This is why the 0.3.0 release (and the prior #53/#55 runs) failed; 0.3.0 only shipped after a manual lockfile patch.

Fix

  • .npmrc: link-workspace-packages=true — internal deps resolve to the local workspace (link:../bhono-app) instead of a registry version that doesn't exist during the bump. This is the load-bearing change.
  • changeset:version also runs pnpm install --lockfile-only — the Version PR now carries an in-sync lockfile.
  • release.yml: the changesets action uses that script (version: pnpm run changeset:version) and gets NODE_AUTH_TOKEN so the lockfile refresh can resolve restricted @etus deps.

npm publish (not pnpm) still publishes the range from package.json, so the published create-bhono keeps "@etus/bhono": "^x.y.0"link-workspace-packages only affects resolution/lockfile, never the manifest.

Validation (throwaway-changeset test, locally)

Ran the exact script the CI calls with a minor changeset:

  • changeset:version → bumped both to 0.4.0, create-bhono dep → ^0.4.0 (range, not link:), lockfile resolved @etus/bhono to link:../bhono-app, exit 0. (The ERR_PNPM_FETCH_404 lines for @etus/bhono/@etus/auth are non-fatal noise — pnpm tries the registry, then falls back to the workspace link; @etus/auth@0.8.0 stays resolved.)
  • pnpm install --frozen-lockfile --filter '@etus/bhono...' against the bumped lockfile → exit 0, "Lockfile is up to date". This is the step that was failing.

Out of scope (operational, not code)

The NPM_TOKEN repo secret should be a read-only token dedicated to the @etus scope (it was expired/over-scoped — I refreshed it with the dev publish token to unblock 0.3.0). Swap it for a dedicated read-only token when convenient; no code change needed.

…on bump

Every release stalled because the changesets Version PR bumped the internal dep
(create-bhono -> @etus/bhono) to a not-yet-published version, leaving the lockfile
out of date, so the release workflow `pnpm install --frozen-lockfile` failed.

- .npmrc: link-workspace-packages=true so internal deps resolve to the local
  workspace (link:../bhono-app) instead of a registry version that does not exist
  yet during the bump.
- changeset:version now also runs `pnpm install --lockfile-only`, so the release
  PR carries an in-sync lockfile.
- release.yml: changesets/action uses that script (version: pnpm run
  changeset:version) and gets NODE_AUTH_TOKEN so the lockfile refresh can resolve
  restricted @ETUS deps.

npm publish (not pnpm) still publishes the range in package.json, so the published
create-bhono keeps "@etus/bhono": "^x.y.0" — link-workspace-packages only affects
resolution/lockfile, never the manifest.
@aabrius aabrius merged commit e4860db into master Jun 6, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants