build(deps): pin all build dependency versions for reproducibility

jdalton · jdalton · commit 95e3a5568047 · 2025-11-03T00:45:19.000-05:00
Pin exact versions for all build dependencies across workflows:
- Node.js: 22.11.0 (was: 22 or unpinned)
- pnpm: 10.20.0 (was: ^10.16.0, ^10.20.0, or 10.20.0)
- Python: 3.13.0 (was: '3.11' or '3.13')
- Emscripten: 4.0.18 (was: latest in build-sea.yml)

This ensures reproducible builds across all platforms and prevents
unexpected breakage from dependency updates. Critical for C++/WASM
builds where toolchain versions affect binary output.
diff --git a/.github/workflows/build-sea.yml b/.github/workflows/build-sea.yml
@@ -69,12 +69,12 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 22
+          node-version: 24.10.0
 
       - name: Setup pnpm
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
         with:
-          version: ^10.16.0
+          version: 10.20.0
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -217,13 +217,13 @@ jobs:
         if: steps.check-platform.outputs.should-run == 'true'
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 22
+          node-version: 24.10.0
 
       - name: Setup pnpm
         if: steps.check-platform.outputs.should-run == 'true'
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
         with:
-          version: ^10.16.0
+          version: 10.20.0
 
       - name: Install dependencies
         if: steps.check-platform.outputs.should-run == 'true'
@@ -335,7 +335,7 @@ jobs:
         if: steps.check-platform.outputs.should-run == 'true' && steps.yoga-cache-valid.outputs.valid != 'true' && matrix.os != 'windows'
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
-          python-version: '3.11'
+          python-version: '3.13.0'
 
       - name: Cache Emscripten SDK (non-Windows)
         if: steps.check-platform.outputs.should-run == 'true' && steps.yoga-cache-valid.outputs.valid != 'true' && matrix.os != 'windows'
@@ -375,14 +375,14 @@ jobs:
               echo "::group::Installing Emscripten"
               git clone https://github.com/emscripten-core/emsdk.git
               cd emsdk
-              ./emsdk install latest
-              ./emsdk activate latest
+              ./emsdk install 4.0.18
+              ./emsdk activate 4.0.18
               cd ..
               echo "::endgroup::"
             else
               echo "::group::Activating Emscripten (from cache)"
               cd emsdk
-              ./emsdk activate latest
+              ./emsdk activate 4.0.18
               cd ..
               echo "::endgroup::"
             fi
diff --git a/.github/workflows/build-smol.yml b/.github/workflows/build-smol.yml
@@ -69,12 +69,12 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 22
+          node-version: 22.11.0
 
       - name: Setup pnpm
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
         with:
-          version: ^10.16.0
+          version: 10.20.0
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -214,13 +214,13 @@ jobs:
         if: steps.check-platform.outputs.should-run == 'true'
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 22
+          node-version: 22.11.0
 
       - name: Setup pnpm
         if: steps.check-platform.outputs.should-run == 'true'
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
         with:
-          version: ^10.16.0
+          version: 10.20.0
 
       - name: Install dependencies
         if: steps.check-platform.outputs.should-run == 'true'
@@ -293,7 +293,7 @@ jobs:
         if: steps.smol-cache-valid.outputs.valid != 'true' || inputs.force
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
-          python-version: '3.11'
+          python-version: '3.13.0'
 
       - name: Verify Python installation
         if: steps.smol-cache-valid.outputs.valid != 'true' || inputs.force
@@ -362,7 +362,7 @@ jobs:
             alpine:3.19 \
             sh -c "
               apk add --no-cache nodejs npm python3 make g++ linux-headers git ccache ninja && \
-              npm install -g pnpm@10.16.0 && \
+              npm install -g pnpm@10.20.0 && \
               pnpm --filter @socketbin/node-smol-builder run build
             "
 
diff --git a/.github/workflows/build-wasm.yml b/.github/workflows/build-wasm.yml
@@ -82,7 +82,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 22
+          node-version: 22.11.0
 
       - name: Setup pnpm
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
@@ -194,7 +194,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 22
+          node-version: 22.11.0
 
       - name: Setup pnpm
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
@@ -204,7 +204,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
-          python-version: '3.13'
+          python-version: '3.13.0'
 
       - name: Cache pip packages
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
@@ -358,7 +358,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 22
+          node-version: 22.11.0
 
       - name: Setup pnpm
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
diff --git a/.github/workflows/publish-socketbin.yml b/.github/workflows/publish-socketbin.yml
@@ -119,13 +119,13 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 22
+          node-version: 22.11.0
           registry-url: 'https://registry.npmjs.org'
 
       - name: Setup pnpm
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
         with:
-          version: ^10.20.0
+          version: 10.20.0
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -337,13 +337,13 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 22
+          node-version: 22.11.0
           registry-url: 'https://registry.npmjs.org'
 
       - name: Setup pnpm
         uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
         with:
-          version: ^10.20.0
+          version: 10.20.0
 
       - name: Install latest npm
         run: npm install -g npm@latest
