Skip to content

chore: migrate to pnpm and enable minimum release age#2429

Open
B4nan wants to merge 8 commits intomasterfrom
chore/migrate-to-pnpm
Open

chore: migrate to pnpm and enable minimum release age#2429
B4nan wants to merge 8 commits intomasterfrom
chore/migrate-to-pnpm

Conversation

@B4nan
Copy link
Copy Markdown
Member

@B4nan B4nan commented Apr 14, 2026

Summary

Migrates apify-docs from npm to pnpm (10.24.0) as part of the org-wide supply-chain hardening effort, mirroring the setup already in place for apify-client-js and apify-shared-js.

Alongside the package manager switch this introduces a minimum release age window for renovate updates so supply-chain attacks on transitive dependencies are less likely to land in a green CI run.

Changes

Workspace / package manager

  • packageManager -> pnpm@10.24.0 in root package.json; workspaces field dropped in favor of pnpm-workspace.yaml (still containing only apify-docs-theme).
  • Root scripts rewritten to call pnpm X / pnpm exec instead of npm run X / npx.
  • New .npmrc with node-linker=hoisted, link-workspace-packages=true, prefer-workspace-packages=true, public-hoist-pattern[]=* (existing legacy-peer-deps=true preserved).
  • New pnpm-workspace.yaml with minimumReleaseAge: 1440 and minimumReleaseAgeExclude for @apify/* and @crawlee/*.
  • package-lock.json replaced by pnpm-lock.yaml.

Renovate

  • Added minimumReleaseAge: "1 day" and internalChecksFilter: "strict".
  • New packageRules entry exempting @apify/* and @crawlee/* from the delay.
  • Removed the old constraints: { npm: "^9.0.0" } block.

CI composite action

  • Copied .github/actions/pnpm-install/action.yml verbatim from apify-client-js (swap space, pnpm/action-setup@v4.1.0, monthly-rotated store cache keyed on pnpm-lock.yaml, pnpm install --frozen-lockfile --prefer-offline).

Workflows (6 of 13 updated, 7 left untouched)

  • Updated to use the composite action plus pnpm / pnpm exec:
    • docs.yaml - GitHub Pages deploy.
    • lychee.yml - nightly link checker (also builds the site).
    • openapi-ci.yaml - OpenAPI lint/build/validate (3 jobs).
    • publish-to-npm.yaml - theme publish now uses pnpm publish --no-git-checks and pnpm version patch; npm show and npm pkg set kept for registry lookups and direct manifest edits.
    • test-academy.yml - monthly Bats run.
    • test.yaml - build + nginx header assertions + markdown/code lint (3 jobs).
  • Removed cache: 'npm' / cache-dependency-path, the leftover corepack enable steps, and the npm ci --force / npm install calls in those workflows.
  • Left untouched because they do not install Node dependencies: actions-checks.yaml, bump-openapi-version.yaml, check-pr-title.yaml, deploy-nginx.yml, pr-previews.yaml, spell-check.yaml, vale.yaml.

Notes

  • docusaurus.config.js keeps future.experimental_faster; the future.faster rename only lands in Docusaurus 3.10 and this repo is still on 3.9.2.
  • Verified locally: pnpm install --frozen-lockfile, pnpm build, and pnpm lint:code all pass.

🤖 Generated with Claude Code

@github-actions github-actions Bot added this to the 138th sprint - Tooling team milestone Apr 14, 2026
@github-actions github-actions Bot added the t-tooling Issues with this label are in the ownership of the tooling team. label Apr 14, 2026
@B4nan B4nan added the adhoc Ad-hoc unplanned task added during the sprint. label Apr 14, 2026
@B4nan B4nan force-pushed the chore/migrate-to-pnpm branch from 7ec245d to 22f3a6a Compare April 15, 2026 12:18
@B4nan B4nan marked this pull request as ready for review April 15, 2026 13:41
@B4nan B4nan force-pushed the chore/migrate-to-pnpm branch from b899ab2 to 2420e79 Compare April 20, 2026 12:55
B4nan and others added 7 commits April 29, 2026 10:48
@B4nan @claude
chore: migrate to pnpm and enable minimum release age
8cc7462 
Part of the org-wide supply-chain hardening effort. Migrates the repo
from npm to pnpm (10.24.0) and introduces a minimum release age window
for renovate updates, mirroring the setup in apify-client-js.

Workspace / package manager
- Set `packageManager` to `pnpm@10.24.0` in root package.json.
- Drop the `workspaces` field from package.json; moved to
  pnpm-workspace.yaml (`apify-docs-theme`).
- Replace `npm run X` / `npx` with `pnpm X` / `pnpm exec` in root scripts.
- Add `.npmrc` (node-linker=hoisted, link-workspace-packages,
  prefer-workspace-packages, public-hoist-pattern, legacy-peer-deps).
- Add `pnpm-workspace.yaml` with `minimumReleaseAge: 1440` and exclude
  `@apify/*` and `@crawlee/*`.
- Replace `package-lock.json` with `pnpm-lock.yaml`.

Renovate
- Add `minimumReleaseAge: "1 day"` and `internalChecksFilter: strict`.
- Add packageRule exempting `@apify/*` and `@crawlee/*` from the delay.
- Remove the old `constraints: { npm: ^9.0.0 }` block.

CI composite action
- Copy `.github/actions/pnpm-install` from apify-client-js verbatim
  (pnpm/action-setup + pnpm store cache keyed on pnpm-lock.yaml).

Workflows (6 of 13 touched; 7 left as-is)
- Updated to use `./.github/actions/pnpm-install` and `pnpm`/`pnpm exec`:
  - `docs.yaml` (GitHub Pages deploy)
  - `lychee.yml` (nightly link checker; also builds the site)
  - `openapi-ci.yaml` (lint/build/validate OpenAPI, 3 jobs)
  - `publish-to-npm.yaml` (theme publish: `pnpm publish --no-git-checks`,
    keep `npm show`/`npm pkg set` for registry lookups, theme bump now
    uses `pnpm version patch`)
  - `test-academy.yml` (monthly bats run)
  - `test.yaml` (build + nginx assertions + markdown/code lint)
- Removed `cache: 'npm'` / `cache-dependency-path`, the stray
  `corepack enable` steps, and the `npm ci --force` / `npm install`
  calls in favor of the composite action.
- Left untouched (no Node dep install): `actions-checks.yaml`,
  `bump-openapi-version.yaml`, `check-pr-title.yaml`, `deploy-nginx.yml`,
  `pr-previews.yaml`, `spell-check.yaml`, `vale.yaml`.

Notes
- `docusaurus.config.js` still uses `future.experimental_faster` because
  this repo is on Docusaurus 3.9.2; the `future.faster` rename only
  lands in 3.10.
- Local `pnpm install --frozen-lockfile` + `pnpm build` + `pnpm lint:code`
  pass.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@B4nan
ci: use shared apify/workflows/pnpm-install action
f04d3d3 
Replaces the local .github/actions/pnpm-install composite copy
with the shared one from apify/workflows@main. Identical behavior,
less duplication.
@B4nan
chore: whitelist internal apify-client/apify/crawlee/got-scraping fro…
aa47e50 
…m release-age gate
@B4nan
chore: move pnpm config from .npmrc to pnpm-workspace.yaml
c2355cc 
Silences npm warnings about unknown options like node-linker; pnpm
reads the same keys from pnpm-workspace.yaml in camelCase form.
@B4nan
chore: add devEngines + .yarn to .gitignore
9db097b
@B4nan @claude
chore: sync renovate allowlist with pnpm-workspace exclusions
8f000c1 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@B4nan
chore: replace devEngines with only-allow preinstall
b6cc08d 
devEngines.packageManager breaks pnpm commands that delegate to npm
(pnpm version, pnpm pkg set, etc). Use the battle-tested only-allow
approach instead (same as Vite, Vue, Astro).
@B4nan B4nan force-pushed the chore/migrate-to-pnpm branch from 2420e79 to 6315822 Compare April 29, 2026 08:52
@B4nan @claude
ci: rebase before release push in EndBug steps
aa502b3 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@B4nan B4nan force-pushed the chore/migrate-to-pnpm branch from 6315822 to aa502b3 Compare April 29, 2026 08:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@B4nan B4nan

Labels

adhoc Ad-hoc unplanned task added during the sprint. t-tooling Issues with this label are in the ownership of the tooling team.

Projects

None yet

Milestone

138th sprint - Tooling team

Development

Successfully merging this pull request may close these issues.

2 participants

@B4nan @apify-service-account