From e5375c339623114271b327578e3a6ab511aa692a Mon Sep 17 00:00:00 2001 From: Alberto Andre Date: Fri, 5 Jun 2026 23:19:00 -0300 Subject: [PATCH] fix(release): keep pnpm-lock.yaml in sync through the changeset version bump MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Every release stalled because the changesets Version PR bumped the internal dep (create-bhono -> @etus/bhono) to a not-yet-published version, leaving the lockfile out of date, so the release workflow `pnpm install --frozen-lockfile` failed. - .npmrc: link-workspace-packages=true so internal deps resolve to the local workspace (link:../bhono-app) instead of a registry version that does not exist yet during the bump. - changeset:version now also runs `pnpm install --lockfile-only`, so the release PR carries an in-sync lockfile. - release.yml: changesets/action uses that script (version: pnpm run changeset:version) and gets NODE_AUTH_TOKEN so the lockfile refresh can resolve restricted @etus deps. npm publish (not pnpm) still publishes the range in package.json, so the published create-bhono keeps "@etus/bhono": "^x.y.0" — link-workspace-packages only affects resolution/lockfile, never the manifest. --- .github/workflows/release.yml | 8 ++++++++ .npmrc | 5 +++++ package.json | 2 +- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1d0ca41..d152adb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -73,10 +73,18 @@ jobs: id: changesets uses: changesets/action@v1 with: + # `changeset:version` runs `changeset version && pnpm install + # --lockfile-only`, so the release PR carries an in-sync pnpm-lock.yaml. + # Without it the later `--frozen-lockfile` install fails on the bumped + # (but not-yet-published) internal versions, stalling every release. + version: pnpm run changeset:version title: 'chore: release packages' commit: 'chore: release packages' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Lets `changeset:version`'s lockfile refresh resolve restricted @etus + # deps (e.g. @etus/auth) from the registry while updating the lockfile. + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} HUSKY: '0' # Idempotent publish: skip if the local version is already on the diff --git a/.npmrc b/.npmrc index 9a5e138..6df6def 100644 --- a/.npmrc +++ b/.npmrc @@ -1,2 +1,7 @@ @etus:registry=https://registry.npmjs.org/ //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN} +# Resolve internal workspace deps (e.g. create-bhono -> @etus/bhono) to the local +# package instead of the registry. Without this, a release bump points the dep at +# a version that isn't published yet, so `pnpm install` can't resolve it and every +# release stalls on the lockfile (ERR_PNPM_NO_MATCHING_VERSION / OUTDATED_LOCKFILE). +link-workspace-packages=true diff --git a/package.json b/package.json index 4b0c1fe..28772ab 100644 --- a/package.json +++ b/package.json @@ -49,7 +49,7 @@ "test:e2e:prod:auth": "tsx scripts/capture-prod-session.ts", "test": "pnpm test:unit && pnpm test:integration && pnpm test:e2e", "changeset": "changeset", - "changeset:version": "changeset version", + "changeset:version": "changeset version && pnpm install --lockfile-only", "changeset:publish": "changeset publish", "prepare": "husky || true", "test:run": "pnpm test:unit:server && pnpm test:unit:client",