build(deps): standardize on pnpm 11 and build Docker image from repo root (#376)

* build(deps): standardize on pnpm 11 with config in pnpm-workspace.yaml

Nothing pinned the pnpm version, so local/Docker ran pnpm 11 while CI pinned pnpm 9. pnpm 11 no longer reads the 'pnpm' field in package.json, so every local install silently stripped the overrides block from the lockfile and mismatched CI's pnpm 9 — forcing a manual re-gen that must not be committed.

Pin packageManager to pnpm@11.5.0 (corepack/CI/Docker now agree) and move overrides, onlyBuiltDependencies, and minimumReleaseAge out of package.json#pnpm into pnpm-workspace.yaml — overrides: stays a map, onlyBuiltDependencies becomes the allowBuilds map, minimumReleaseAge: 0 replaces the env workaround. CI workflows drop the hardcoded 'version: 9' so pnpm/action-setup follows packageManager.

The lockfile is byte-identical after the move, confirming the churn was purely the misplaced config; a frozen install is now stable and the full suite passes under pnpm 11.

* build(docker): build testplanit image from repo root, drop duplicate lockfile

The testplanit image now builds from the repository root so it uses the single
root pnpm-lock.yaml + pnpm-workspace.yaml directly, eliminating the committed
testplanit/pnpm-lock.yaml duplicate that had to be hand-mirrored on every
install. Combined with the pnpm 11 packageManager pin, this ends the recurring
re-gen/don't-commit churn.

- docker-bake.hcl: context "..", dockerfile "testplanit/Dockerfile"
- Dockerfile: pnpm workspace install at /app with the app at /app/testplanit;
  pnpm provisioned via corepack; production deps via `pnpm deploy --prod
  --legacy` for a self-contained node_modules; the generated Prisma client and
  ZenStack files are copied into the deploy tree by locating them there, since
  the prod peer-hash dir name differs from the build tree
- .dockerignore (new): keeps the root context small; artifact patterns are
  anchored to real locations so a floating glob can't strip a source route such
  as app/api/test-results (only reached via dynamic fetch, so the build would
  not have failed -- it would just 404 at runtime)
- docker-compose{,.dev,.prod}.yml: context "..", working_dir/volumes shifted to
  /app/testplanit
- release.yml: drop the 4 `cp pnpm-lock.yaml testplanit/...` steps; add
  --allow=fs.read=.. to the bake calls (buildx parent-context entitlement)
- ci.yml: drop the obsolete lockfile-mirror diff; the install gate now uses
  --frozen-lockfile to fail fast on root-lockfile drift
- docs: manual-setup notes pnpm 11 via corepack/packageManager

Validated locally on Colima (linux/arm64): `docker buildx bake production
workers` builds both images; the production image boots and serves; the workers
smoke test loads all 16 entrypoints; the test-results route compiles into the
standalone; and the security overrides are present in the built tree.

Author: therealbrad

.dockerignore

@@ -0,0 +1,47 @@
+# Root build context ignore. The testplanit image builds from the repo root so
+# it can use the single root pnpm-lock.yaml + pnpm-workspace.yaml. Excluding the
+# large generated/working directories keeps the context small enough to
+# transfer. Patterns for ambiguous directory names (build, dist, coverage,
+# test-results, e2e, ...) are ANCHORED to their real top-level locations so a
+# floating "**/" glob can never strip a source route such as
+# app/api/test-results — which Next.js only reaches via a dynamic fetch(), so
+# its absence would not fail the build, only 404 at runtime.
+
+# Dependencies & framework caches — safe to match at any depth (never source).
+**/node_modules
+**/.next
+**/.turbo
+**/.docusaurus
+**/*.tsbuildinfo
+
+# Build output & test artifacts — regenerated in-image; anchored, not floating.
+testplanit/dist
+testplanit/build
+testplanit/coverage
+testplanit/test-results
+testplanit/playwright-report
+testplanit/e2e
+docs/build
+docs/.docusaurus
+forge-app/dist
+cli/dist
+packages/*/dist
+
+# Large local data & prebuilt binaries — never needed in the image.
+testplanit/backups
+**/docker-data/
+cli/releases
+.playwright-mcp
+demo/
+
+# VCS, env, editor, OS cruft.
+.git
+**/.git
+**/.env
+**/.env.*
+!**/.env.example
+**/.DS_Store
+**/npm-debug.log*
+
+# Planning (local-only).
+**/.planning/

.github/workflows/ci.yml

@@ -34,25 +34,21 @@ jobs:
 
       - name: Install pnpm
         uses: pnpm/action-setup@v4
-        with:
-          version: 9
 
       - name: Setup Node.js
         uses: actions/setup-node@v5
         with:
           node-version: '24'
 
-      - name: Verify workspace lockfile mirror
-        # testplanit/pnpm-lock.yaml is a load-bearing byte-for-byte duplicate
-        # of the root pnpm-lock.yaml — the testplanit Dockerfile copies it
-        # from its build context. Fail loudly when they diverge (typically
-        # after a Dependabot bump) so the mirror is fixed before merge.
-        run: diff -q pnpm-lock.yaml testplanit/pnpm-lock.yaml
-
       - name: Install dependencies
+        # --frozen-lockfile is the pre-merge lockfile-integrity gate: it fails
+        # fast if the root pnpm-lock.yaml has drifted from the manifests (e.g. a
+        # Dependabot bump that didn't regenerate it), matching the frozen install
+        # the release Docker build relies on. A non-frozen install would silently
+        # rewrite the lockfile in-runner and pass, deferring the failure to release.
         run: |
           cd testplanit
-          pnpm install --ignore-scripts
+          pnpm install --frozen-lockfile --ignore-scripts
 
       - name: Generate ZenStack and Prisma
         run: |

.github/workflows/cli-semantic-release.yml

@@ -31,8 +31,6 @@ jobs:
 
       - name: Install pnpm
         uses: pnpm/action-setup@v4
-        with:
-          version: 9
 
       - name: Setup Node.js
         uses: actions/setup-node@v5

.github/workflows/packages-release.yml

@@ -44,8 +44,6 @@ jobs:
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
-        with:
-          version: 9
 
       - name: Setup Node.js
         uses: actions/setup-node@v5

.github/workflows/release.yml

@@ -77,17 +77,14 @@ jobs:
         mkdir -p public
         cp public/version.json .docker-version.json || echo "Version file not generated"
 
-    - name: Copy lockfile for Docker build
-      run: cp pnpm-lock.yaml testplanit/pnpm-lock.yaml
-
     - name: Build and push AMD64 images
       working-directory: ./testplanit
       run: |
         VERSION="${{ github.ref_name }}"
         VERSION_NUM="${VERSION#v}"
         SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-8)
 
-        docker buildx bake -f docker-bake.hcl --push \
+        docker buildx bake -f docker-bake.hcl --allow=fs.read=.. --push \
           --set "*.platform=linux/amd64" \
           --set "production.tags=ghcr.io/${REPO_LC}:${VERSION_NUM}-amd64" \
           --set "production.tags=ghcr.io/${REPO_LC}:${VERSION}-amd64" \
@@ -148,17 +145,14 @@ jobs:
         mkdir -p public
         cp public/version.json .docker-version.json || echo "Version file not generated"
 
-    - name: Copy lockfile for Docker build
-      run: cp pnpm-lock.yaml testplanit/pnpm-lock.yaml
-
     - name: Build and push ARM64 images
       working-directory: ./testplanit
       run: |
         VERSION="${{ github.ref_name }}"
         VERSION_NUM="${VERSION#v}"
         SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-8)
 
-        docker buildx bake -f docker-bake.hcl --push \
+        docker buildx bake -f docker-bake.hcl --allow=fs.read=.. --push \
           --set "*.platform=linux/arm64" \
           --set "production.tags=ghcr.io/${REPO_LC}:${VERSION_NUM}-arm64" \
           --set "production.tags=ghcr.io/${REPO_LC}:${VERSION}-arm64" \
@@ -286,14 +280,11 @@ jobs:
         mkdir -p public
         cp public/version.json .docker-version.json || echo "Version file not generated"
 
-    - name: Copy lockfile for Docker build
-      run: cp pnpm-lock.yaml testplanit/pnpm-lock.yaml
-
     - name: Build and push AMD64 images
       working-directory: ./testplanit
       run: |
         SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-8)
-        docker buildx bake -f docker-bake.hcl --push \
+        docker buildx bake -f docker-bake.hcl --allow=fs.read=.. --push \
           --set "*.platform=linux/amd64" \
           --set "production.tags=ghcr.io/${REPO_LC}:${{ github.event.inputs.tag }}-amd64" \
           --set "workers.tags=ghcr.io/${REPO_LC}:${{ github.event.inputs.tag }}-workers-amd64" \
@@ -349,14 +340,11 @@ jobs:
         mkdir -p public
         cp public/version.json .docker-version.json || echo "Version file not generated"
 
-    - name: Copy lockfile for Docker build
-      run: cp pnpm-lock.yaml testplanit/pnpm-lock.yaml
-
     - name: Build and push ARM64 images
       working-directory: ./testplanit
       run: |
         SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-8)
-        docker buildx bake -f docker-bake.hcl --push \
+        docker buildx bake -f docker-bake.hcl --allow=fs.read=.. --push \
           --set "*.platform=linux/arm64" \
           --set "production.tags=ghcr.io/${REPO_LC}:${{ github.event.inputs.tag }}-arm64" \
           --set "workers.tags=ghcr.io/${REPO_LC}:${{ github.event.inputs.tag }}-workers-arm64" \

.github/workflows/semantic-release.yml

@@ -32,8 +32,6 @@ jobs:
 
       - name: Install pnpm
         uses: pnpm/action-setup@v4
-        with:
-          version: 9
 
       - name: Setup Node.js
         uses: actions/setup-node@v5

docs/docs/manual-setup.md

@@ -11,7 +11,7 @@ This guide explains how to set up TestPlanIt for local development manually, wit
 Before you begin, ensure you have the following installed:
 
 - [Node.js](https://nodejs.org/) v24.x LTS
-- [pnpm](https://pnpm.io/) (version 10+ recommended)
+- [pnpm](https://pnpm.io/) v11 — the repository pins the exact version via the `packageManager` field in the root `package.json`, so the simplest setup is to run `corepack enable` (Corepack ships with Node.js) and let it provision the matching pnpm automatically
 - Git
 
 **Required Services:**

package.json

@@ -4,6 +4,7 @@
     "description": "TestPlanIt monorepo",
     "author": "Brad DerManouelian",
     "license": "ISC",
+    "packageManager": "pnpm@11.5.0",
     "scripts": {
         "changeset": "changeset",
         "changeset:version": "changeset version",
@@ -15,105 +16,5 @@
         "@changesets/changelog-github": "^0.5.2",
         "@changesets/cli": "^2.30.0",
         "vite": "^7.3.2"
-    },
-    "pnpm": {
-        "onlyBuiltDependencies": [
-            "@forge/cli",
-            "@parcel/watcher",
-            "@prisma/client",
-            "@prisma/engines",
-            "@scarf/scarf",
-            "@swc/core",
-            "@tree-sitter-grammars/tree-sitter-yaml",
-            "aws-sdk",
-            "bcrypt",
-            "canvas",
-            "cloudflared",
-            "core-js",
-            "core-js-pure",
-            "esbuild",
-            "keytar",
-            "msgpackr-extract",
-            "msw",
-            "prisma",
-            "sharp",
-            "tree-sitter",
-            "tree-sitter-json",
-            "unrs-resolver",
-            "zenstack"
-        ],
-        "overrides": {
-            "csstype": "^3.2.0",
-            "postcss": "^8.5.10",
-            "@csstools/css-syntax-patches-for-csstree": "^1.0.20",
-            "form-data": "^4.0.4",
-            "validator": "^13.15.22",
-            "js-yaml": "^4.1.1",
-            "gray-matter>js-yaml": "^3.14.1",
-            "read-yaml-file>js-yaml": "^3.14.1",
-            "tmp": "^0.2.6",
-            "mdast-util-to-hast": "^13.2.1",
-            "content-security-policy-parser": "^0.6.0",
-            "webpack-dev-server": "^5.2.4",
-            "@sentry/browser": "^7.119.1",
-            "pdfjs-dist": "^4.2.67",
-            "nth-check": "^2.0.1",
-            "dompurify": "^3.3.2",
-            "path-to-regexp": "^3.3.0",
-            "prismjs": "^1.30.0",
-            "systeminformation": "^5.31.1",
-            "qs": ">=6.15.2",
-            "brace-expansion@5": ">=5.0.6",
-            "ws@8": ">=8.20.1",
-            "@modelcontextprotocol/sdk": ">=1.26.0",
-            "preact": ">=10.28.2",
-            "@remix-run/router": ">=1.23.2",
-            "hono": ">=4.12.18",
-            "@hono/node-server": "1.19.13",
-            "vite": "7.3.2",
-            "basic-ftp": ">=5.3.1",
-            "fast-uri": ">=3.1.2",
-            "fast-xml-builder": ">=1.1.7",
-            "ip-address": ">=10.1.1",
-            "icu-minify": ">=4.9.2",
-            "@babel/plugin-transform-modules-systemjs": ">=7.29.4",
-            "nodemailer": ">=8.0.5",
-            "cheerio": ">=1.0.0",
-            "ioredis": "5.10.1",
-            "lodash": ">=4.18.0",
-            "lodash-es": ">=4.18.0",
-            "undici": "^7.24.7",
-            "diff": ">=8.0.3",
-            "fast-xml-parser": ">=5.5.7",
-            "uuid": ">=14.0.0",
-            "esbuild": ">=0.25.0",
-            "webpack": ">=5.104.1",
-            "webpackbar": ">=7.0.0",
-            "markdown-it": ">=14.1.1",
-            "ajv": ">=8.18.0",
-            "eslint>ajv": "^6.14.0",
-            "@eslint/eslintrc>ajv": "^6.14.0",
-            "schema-utils@2>ajv": "^6.14.0",
-            "schema-utils@2>ajv-keywords": "^3.5.2",
-            "schema-utils@3>ajv": "^6.14.0",
-            "schema-utils@3>ajv-keywords": "^3.5.2",
-            "svgo": ">=3.3.3",
-            "minimatch@3": "^3.1.4",
-            "minimatch@5": ">=5.1.8",
-            "minimatch@7": ">=7.4.7",
-            "minimatch@9": ">=9.0.6",
-            "minimatch@10": ">=10.2.3",
-            "node-forge": ">=1.3.2",
-            "tar-fs@2": ">=2.1.4",
-            "glob@10": ">=10.5.0",
-            "bn.js": "5.2.3",
-            "serialize-javascript": ">=7.0.5",
-            "flatted": ">=3.4.0",
-            "picomatch@4": ">=4.0.4",
-            "smol-toml": ">=1.6.1",
-            "yaml@1": ">=1.10.3",
-            "yaml@2": ">=2.8.3",
-            "defu": ">=6.1.5"
-        }
     }
-}
+}