Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds documentation for using pnpm as a Node.js package manager in GitHub Actions workflows. The PR addresses the lack of examples for pnpm, which has become one of the top package managers for Node.js. The new example demonstrates how to set up pnpm caching in GitHub Actions, including steps for checking out code, setting up Node.js, installing pnpm, getting the pnpm store directory, configuring cache, and installing dependencies.
Changes:
- Added a new "Node - pnpm" section with a complete workflow example for caching pnpm dependencies
- Updated the table of contents to include the new pnpm section
Comments suppressed due to low confidence (2)
examples.md:413
- This should be a level 2 heading (##) instead of level 3 (###) to match the pattern used for other package manager examples. All other Node.js package manager sections (Node - npm, Node - Lerna, Node - Yarn, Node - Yarn 2) use ## headings at line 331, 368, 378, and 395 respectively.
### Node - pnpm
examples.md:433
- This should use actions/cache@v5 instead of v4 to be consistent with the rest of the examples in this file. All other examples use v5 (see lines 49, 59, 71, 83, 100, 112, 126, 137, 150, 161, 172, 183, 195, 210, 223, 236, 252, 267, 274, 286, 295, 309, 323, 359, 372, 386, and 404).
- uses: actions/cache@v4
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - uses: pnpm/action-setup@v4 | ||
| with: | ||
| version: 10 |
There was a problem hiding this comment.
The example uses third-party GitHub Action pnpm/action-setup@v4 pinned only to a mutable tag, which introduces a supply chain risk: if the v4 tag is ever compromised or retagged, this workflow could execute attacker-controlled code with access to repository contents and secrets. To reduce this risk, pin third-party actions to immutable commit SHAs (optionally documenting the tag in a comment) and regularly update the pinned SHA as needed.
Description
This pull request adds documentation for using pnpm as a Node.js package manager in GitHub Actions workflows. The main update is the inclusion of a new example in the
examples.mdfile, showing how to set up caching for pnpm dependencies.Documentation updates:
examples.mdwith a step-by-step example for caching pnpm dependencies in GitHub Actions workflows, including setup and cache configuration.examples.mdto include the new "Node - pnpm" section.Motivation and Context
Lack of examples for pnpm which is now one of the top package managers for Node
How Has This Been Tested?
Screenshots (if appropriate):
Types of changes
Checklist: