Skip to content

refactor: migrate from npm to pnpm #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mabry1985 wants to merge 4 commits into
base: main
Choose a base branch
from
Open

refactor: migrate from npm to pnpm #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f313c8d
refactor: migrate from npm to pnpm
Apr 1, 2026
f0317b4
fix: remove explicit pnpm version from CI workflows
Apr 1, 2026
3ee178c
fix: add @deck.gl/extensions as explicit dependency
Apr 1, 2026
bbe85b6
fix: regenerate pnpm-lock.yaml with @deck.gl/extensions
Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions .github/workflows/build-desktop.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,11 +72,13 @@ jobs:
shell: bash
run: echo "JOB_START_EPOCH=$(date +%s)" >> "$GITHUB_ENV"

- name: Setup pnpm
uses: pnpm/action-setup@v4
- name: Setup Node.js
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
with:
node-version: '22'
cache: 'npm'
cache: 'pnpm'

- name: Install Rust stable
uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7
Expand Down Expand Up @@ -107,10 +109,10 @@ jobs:
gstreamer1.0-gl

- name: Install frontend dependencies
run: npm ci
run: pnpm install --frozen-lockfile

- name: Check version consistency
run: npm run version:check
run: pnpm run version:check

- name: Bundle Node.js runtime
shell: bash
Expand Down Expand Up @@ -265,7 +267,7 @@ jobs:
releaseBody: 'See changelog below.'
releaseDraft: ${{ github.event_name == 'workflow_dispatch' && fromJSON(github.event.inputs.draft) }}
prerelease: false
tauriScript: npx tauri
tauriScript: pnpm tauri
args: --config src-tauri/tauri.tech.conf.json ${{ matrix.args }}
retryAttempts: 1
Comment on lines +270 to 272
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if tauriScript is specified for full variant builds
rg -n 'tauriScript' .github/workflows/build-desktop.yml
echo "---"
echo "Full variant build steps (lines ~207 and ~232) should be checked for missing tauriScript"

Repository: protoLabsAI/worldmonitor

Length of output: 236

🏁 Script executed:

# View the workflow file around the mentioned lines to verify the claim
sed -n '200,240p' .github/workflows/build-desktop.yml
echo "---"
sed -n '265,295p' .github/workflows/build-desktop.yml

Repository: protoLabsAI/worldmonitor

Length of output: 3648

🌐 Web query:

tauri-action default tauriScript npx

💡 Result:

In the tauri-apps/tauri-action GitHub Action, the tauriScript input specifies the command to run the Tauri CLI (without 'build' or args). If not explicitly set (default is empty string ''), the action automatically determines it by detecting the package manager in the project (npm, pnpm, yarn, bun) and uses formats like "npm run tauri", "yarn tauri", etc. If no suitable project CLI is found or it needs to install the CLI globally, it falls back to just "tauri" (after installing @tauri-apps/cli globally via npm). This auto-detection supports npx usage internally for projects without a local tauri script, but users typically set tauriScript explicitly for custom needs like "npx tauri" to avoid issues in npm workspaces.

Citations:

Add explicit tauriScript: pnpm tauri to full variant build steps for consistency.

The full variant builds (lines 207, 232) omit tauriScript and rely on tauri-action's auto-detection, while the tech variant builds (lines 270, 290) explicitly specify tauriScript: pnpm tauri. Although auto-detection should handle pnpm correctly, being explicit ensures consistency across all build variants and avoids relying on implicit behavior.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-desktop.yml around lines 270 - 272, Two full-variant
build steps are missing an explicit tauriScript setting and rely on
auto-detection; add tauriScript: pnpm tauri to those full variant job
definitions (the same key used in the tech variant) so each build step that has
args: --config ... and retryAttempts: 1 also includes tauriScript: pnpm tauri,
ensuring consistency across all variants and preventing implicit tauri-action
detection differences.


Expand All @@ -285,7 +287,7 @@ jobs:
releaseBody: 'See changelog below.'
releaseDraft: ${{ github.event_name == 'workflow_dispatch' && fromJSON(github.event.inputs.draft) }}
prerelease: false
tauriScript: npx tauri
tauriScript: pnpm tauri
args: --config src-tauri/tauri.tech.conf.json ${{ matrix.args }}
retryAttempts: 1

Expand Down
15 changes: 8 additions & 7 deletions .github/workflows/lint-code.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,16 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
- run: npm ci
- run: npm run lint:unicode
- run: npm run lint
- run: npm run lint:boundaries
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
- run: pnpm run lint:unicode
- run: pnpm run lint
- run: pnpm run lint:boundaries
- name: Markdown lint
run: npm run lint:md
run: pnpm run lint:md
- name: Version sync check
run: npm run version:check
run: pnpm run version:check
6 changes: 4 additions & 2 deletions .github/workflows/test-linux-app.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,13 @@ jobs:
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Setup pnpm
uses: pnpm/action-setup@v4
- name: Setup Node.js
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
with:
node-version: '22'
cache: 'npm'
cache: 'pnpm'

- name: Install Rust stable
uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7
Expand Down Expand Up @@ -53,7 +55,7 @@ jobs:
xdotool

- name: Install frontend dependencies
run: npm ci
run: pnpm install --frozen-lockfile

- name: Bundle Node.js runtime
shell: bash
Expand Down
9 changes: 5 additions & 4 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,16 +13,17 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
- run: npm ci
- run: npm run test:data
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
- run: pnpm run test:data
- name: Edge function bundle check
run: |
find api/ -name "*.js" -not -name "_*" | while read f; do
npx esbuild "$f" --bundle --format=esm --platform=browser --outfile=/dev/null || {
pnpm exec esbuild "$f" --bundle --format=esm --platform=browser --outfile=/dev/null || {
echo "ERROR: esbuild failed to bundle $f"
exit 1
}
Expand Down
9 changes: 5 additions & 4 deletions .github/workflows/typecheck.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,11 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
with:
node-version: '22'
cache: 'npm'
- run: npm ci
- run: npm run typecheck
- run: npm run typecheck:api
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
- run: pnpm run typecheck
- run: pnpm run typecheck:api
9 changes: 6 additions & 3 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,14 @@
# ── Stage 1: Builder ─────────────────────────────────────────────────────────
FROM node:22-alpine AS builder

# Install pnpm
RUN npm install -g pnpm
Comment on lines +12 to +13
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Pin the pnpm version for reproducible builds.

Same issue as docker/Dockerfile: the pnpm version should be pinned to match the repo's packageManager field (pnpm@9.15.9).

Option 1: Pin via npm 
 # Install pnpm
-RUN npm install -g pnpm
+RUN npm install -g pnpm@9.15.9
Option 2: Use corepack (preferred) 
-# Install pnpm
-RUN npm install -g pnpm
+# Enable corepack to use pnpm version from package.json
+RUN corepack enable
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Install pnpm
RUN npm install -g pnpm
# Install pnpm
RUN npm install -g pnpm@9.15.9
🧰 Tools
🪛 Hadolint (2.14.0)

[warning] 13-13: Pin versions in npm. Instead of npm install <package> use npm install <package>@<version>

(DL3016)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 12 - 13, The Dockerfile currently installs pnpm
without a pinned version (the RUN npm install -g pnpm line); update this to pin
pnpm to the repo's packageManager version (pnpm@9.15.9) or, preferably, enable
corepack and run corepack prepare pnpm@9.15.9 --activate so builds are
reproducible; ensure the pinned version exactly matches the packageManager field
(pnpm@9.15.9) in package.json and remove the unpinned RUN npm install -g pnpm
entry or replace it with the corepack-based commands.


WORKDIR /app

# Install root dependencies (layer-cached until package.json changes)
COPY package.json package-lock.json ./
RUN npm ci --ignore-scripts
COPY package.json pnpm-lock.yaml ./
RUN pnpm install --frozen-lockfile --ignore-scripts

# Copy full source
COPY . .
Expand All @@ -24,7 +27,7 @@ RUN node docker/build-handlers.mjs

# Build Vite frontend (outputs to dist/)
# Skip blog build — blog-site has its own deps not installed here
RUN npx tsc && npx vite build
RUN pnpm exec tsc && pnpm exec vite build

# ── Stage 2: Runtime ─────────────────────────────────────────────────────────
FROM node:22-alpine AS final
Expand Down
10 changes: 5 additions & 5 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
.PHONY: help lint generate breaking format check clean deps install install-buf install-plugins install-npm install-playwright
.PHONY: help lint generate breaking format check clean deps install install-buf install-plugins install-pnpm install-playwright
.DEFAULT_GOAL := help

# Variables
Expand All @@ -22,7 +22,7 @@ help: ## Show this help message
@echo 'Targets:'
@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {printf " %-20s %s\n", $$1, $$2}' $(MAKEFILE_LIST)

install: install-buf install-plugins install-npm install-playwright deps ## Install everything (buf, sebuf plugins, npm deps, proto deps, browsers)
install: install-buf install-plugins install-pnpm install-playwright deps ## Install everything (buf, sebuf plugins, pnpm deps, proto deps, browsers)

install-buf: ## Install buf CLI
@if command -v buf >/dev/null 2>&1; then \
Expand All @@ -40,11 +40,11 @@ install-plugins: ## Install sebuf protoc plugins (requires Go)
@$(GO_INSTALL) github.com/SebastienMelki/sebuf/cmd/protoc-gen-openapiv3@$(SEBUF_VERSION)
@echo "Plugins installed!"

install-npm: ## Install npm dependencies
npm install
install-pnpm: ## Install pnpm dependencies
pnpm install
Comment on lines +43 to +44
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Use frozen lockfile in the Make target to catch drift earlier

Line [44] uses pnpm install without --frozen-lockfile, which can mask dependency drift locally and defer failures to CI.

Suggested diff 
 install-pnpm: ## Install pnpm dependencies
-	pnpm install
+	pnpm install --frozen-lockfile
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 43 - 44, The Make target install-pnpm currently runs
`pnpm install` which can update the lockfile silently; change the command in the
install-pnpm target to use a frozen lockfile (e.g., `pnpm install
--frozen-lockfile`) so dependency drift fails fast locally and CI catches
mismatches earlier—update the install-pnpm recipe to include the
`--frozen-lockfile` flag.


install-playwright: ## Install Playwright browsers for e2e tests
npx playwright install chromium
pnpm exec playwright install chromium

deps: ## Install/update buf proto dependencies
cd $(PROTO_DIR) && buf dep update
Expand Down
Loading
Loading