action-setup
action-setup copied to clipboard
pnpm
Action is not verified in Github Marketplace
My company has recently tightened up the security settings for Github actions and only allowing verified Github actions to be run as part of our Github workflows. Are there any plans to verify the pnpm/action-setup@v2 action on Github Marketplace?
Came here to ask for this. Have you considered becoming a verified creator on Github Marketplace? Due to corporate policy we're not allowed to use 3rd party Actions.
hmm... https://docs.github.com/en/apps/publishing-apps-to-github-marketplace/github-marketplace-overview/about-marketplace-badges#for-github-actions
I suppose there is always the workaround of npm i -g pnpm
I encountered the same problem due to policy on GitHub Action. Here's my workaround.
Workaround
Use actions/setup-node or other actions allowed in your repository and then run corepack commands to enable pnpm as the documentation states:
-
corepack enable -
corepack prepare pnpm@latest --activate
Notice
One Should note that corepack prepare doesn't support npm semver, so you can't specify version constraint and expect it to select the appropriate one. You can only specify version number or use tags such as latest-8.
The cache: pnpm option on actions/setup-node require pnpm to be present before setup, so in this case corepack cannot be used. I solved it using the following steps:
- name: Install pnpm
run: |
eval export $(echo PNPM_HOME=$HOME/.pnpm | tee -a $GITHUB_ENV);
echo "$PNPM_HOME" >> $GITHUB_PATH
curl -fsSL https://get.pnpm.io/install.sh | bash -
- name: Install node
uses: actions/setup-node@v3
with:
node-version: '18'
cache: 'pnpm'
- run: pnpm i --frozen-lockfile
