Fixed broken pnpm/action-setup pin in workflows#133
Conversation
The pinned digest ac6db6d3c1f721f886538a378a2d73e85697340a no longer resolves as a commit upstream (GitHub returns HTTP 422), so every job using pnpm/action-setup fails at action resolution. It turned out to be the annotated tag object SHA of the v6 tag rather than a commit SHA, which GitHub Actions cannot resolve. Replaced it with 0e279bb959325dab635dd2c09392533439d90093, the verified commit the current v6/v6.0.8 tag points to. Discovered by CodeRabbit during the monorepo pnpm migration in TryGhost/Themes#529.
|
Warning Review limit reached
More reviews will be available in 10 minutes and 9 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
The committed `assets/built/index.js` was produced by the development build (`rollup --environment BUILD:development`): it began with the livereload script-injection snippet, which every site using the Starter theme shipped to visitors — attempting to load a livereload server from the visiting host on port 35729. Rebuilt with `pnpm build` (production mode), which drops the livereload plugin and bundles only the theme code. Verified the rebuild is deterministic and gscan reports no errors (4 pre-existing warnings unrelated to this change). Found while fixing the pnpm action pin (#133).
1 participant
Summary
pnpm/action-setuppinac6db6d3c1f721f886538a378a2d73e85697340awith0e279bb959325dab635dd2c09392533439d90093in.github/workflows/test.ymland.github/workflows/deploy-theme.yml.v6tag, not a commit SHA — GitHub Actions can only resolve commit SHAs. The replacement is the verified commit the currentv6/v6.0.8tag points to.bestzipscript uses explicit include globs (assets/* partials/* members/* *.hbs package.json) that cannot matchpnpm-workspace.yaml, so no zip change is needed.Verification
gh api repos/pnpm/action-setup/commits/ac6db6d...→ HTTP 422 (confirmed broken);.../commits/0e279bb...resolves;git/tags/ac6db6d...dereferences to commit0e279bb...(v6).pnpm install --frozen-lockfile→ up to date.pnpm zipthenunzip -l ghost-starter-theme.zip | grep -i 'pnpm\|workspace'→ no matches; zip contains only theme assets, templates, andpackage.json(47 files).pnpm test:ci(gscan fatal/verbose) → no fatal compatibility issues.Ref: TryGhost/Themes#529