Merge pull request #157 from cryptomator/feature/use-pnpm

Feature: Migrate to pnpm

Author: infeo

.github/dependabot.yml

@@ -1,9 +1,36 @@
 version: 2
+
+# Private registry for Font Awesome Pro so Dependabot can resolve
+# @awesome.me/* metadata. The token is a Dependabot secret (separate
+# from Actions secrets), configured in repo settings.
+registries:
+  fontawesome:
+    type: npm-registry
+    url: https://npm.fontawesome.com
+    token: ${{secrets.FONTAWESOME_AUTH_TOKEN}}
+
 updates:
-  - package-ecosystem: "github-actions"
-    directory: "/"
+  - package-ecosystem: npm
+    directory: /
     schedule:
-      interval: "weekly"
+      interval: monthly
+    open-pull-requests-limit: 5
+    registries:
+      - fontawesome
+    # Matches the pnpm minimumReleaseAge in pnpm-workspace.yaml so
+    # Dependabot does not propose versions pnpm would refuse to install.
+    cooldown:
+      default-days: 3
+    groups:
+      minor-and-patch:
+        update-types:
+          - minor
+          - patch
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
     groups:
       github-actions:
         patterns:

.github/workflows/gh-pages.yml

@@ -19,18 +19,18 @@ jobs:
       with:
         hugo-version: '0.148.1'
         extended: true
+    - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
     - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: 22
-        cache: 'npm'
-        cache-dependency-path: package-lock.json
-        registry-url: 'https://npm.fontawesome.com/'
-    - name: NPM install
-      run: |
-        npm config set "@awesome.me:registry" https://npm.fontawesome.com/
-        npm ci --ignore-scripts
+        cache: 'pnpm'
+        cache-dependency-path: pnpm-lock.yaml
+    - name: Check lockfile
+      run: bash scripts/check-lockfile.sh
+    - name: Install dependencies
+      run: pnpm install --frozen-lockfile
       env:
-        NODE_AUTH_TOKEN: ${{ secrets.FONTAWESOME_AUTH_TOKEN }}
+        FONTAWESOME_AUTH_TOKEN: ${{ secrets.FONTAWESOME_AUTH_TOKEN }}
     - name: Build production
       run: hugo --minify --destination public/prod
     - name: Build staging

.gitignore

@@ -3,3 +3,4 @@ node_modules/
 public/
 *.DS_Store
 .hugo_build.lock
+package-lock.json

.npmrc

@@ -0,0 +1,2 @@
+@awesome.me:registry=https://npm.fontawesome.com/
+//npm.fontawesome.com/:_authToken=${FONTAWESOME_AUTH_TOKEN}

README.md

@@ -2,15 +2,28 @@
 
 # Usage
 ## Requirements
+* pnpm
 * Hugo
-* Font Awesome Pro `npm config set "@awesome.me:registry" https://npm.fontawesome.com/ && npm config set "//npm.fontawesome.com/:_authToken" TOKEN`
+* Font Awesome Pro auth token, stored in the `FONTAWESOME_AUTH_TOKEN` environment
+  variable
 
 ## Building
-1. `npm install`
+
+The `packageManager` field in `package.json` pins the pnpm version;
+enable Corepack (`corepack enable`) once on your machine and it will
+auto-provision the right pnpm release on first use.
+
+1. `pnpm install`
 1. run hugo
-  * for production builds simply run `npm run build`
-  * for local development run `npm run dev`
-  * for local production tests `npm run serve`
+  * for production builds simply run `pnpm build`
+  * for local development run `pnpm dev`
+  * for local production tests `pnpm serve`
+
+### Update policy
+
+Due to supply chain attacks, brand-new dependency upgrades are held back until the set cooldown in `pnpm-workspace.yaml` elapses. For an urgent exemption, add the package to `minimumReleaseAgeExclude`.
+
+Routine upgrades land via Dependabot PRs (see `.github/dependabot.yml`); don't run `pnpm up --latest` on `develop` or `main` — review the Dependabot PR or open a PR with explicit version pins.
 
 ## Optional Dependencies for Size Optimizations