Renovate: honor pnpm's minimum-release-age and flag bundle-affecting deps#46
Merged
Conversation
fengmk2
added a commit
that referenced
this pull request
Jul 1, 2026
Completes the bundle-freshness automation. Pairs with the `needs-bundle-rebuild` label (created) and the Renovate rule in #46. ## Flow 1. Renovate bumps a bundled dep (`nanotar`/`esbuild`) → adds the `needs-bundle-rebuild` label (#46's rule). 2. This workflow fires on `pull_request: labeled`, guarded to that label, rebuilds via `pnpm build:action`, and pushes the refreshed `.github/actions/publish-preview/dist` if it changed. 3. "Verify action bundle" re-runs on the pushed commit and passes. ## App token A push made with the default `GITHUB_TOKEN` does not re-trigger a PR's required checks (GitHub loop prevention). So it mints a GitHub App token first and checks out / pushes with it, matching the org convention (`actions/create-github-app-token`, `client-id: APP_ID` / `private-key: APP_PRIVATE_KEY`, same as vite-plus's `update-node-release-keys.yml`). Needs the `APP_ID` and `APP_PRIVATE_KEY` secrets available to this repo (org-level, or granted). The App needs `contents: write` on the repo. Same-repo PRs only (fork branches can't be pushed to; Renovate is same-repo).
pnpm 11 enforces a 1-day supply-chain minimum-release-age on `pnpm install --frozen-lockfile`, but Renovate (config:recommended) proposes updates the day a version is published, so the too-new lockfile entry fails CI with ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION (e.g. #40 bumping wrangler). Set minimumReleaseAge to 3 days (clears the 1-day floor with margin) with internalChecksFilter=strict, so Renovate holds an update until it has aged past the cooldown instead of opening a PR that can only fail.
nanotar (bundled) and esbuild (the bundler) compile into the committed publish-action bundle, which an external repo consumes by ref. Renovate can't rebuild it here (Mend-hosted, no push token), so label + PR-note bumps to those two so the dist is rebuilt (`pnpm build:action`) before merge. The CI "Verify action bundle" check remains the backstop for any missed dep.
e1deceb to
c4c19d1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two Renovate config hardenings (same file).
1. Wait out pnpm's minimum-release-age cooldown
Renovate PRs like #40 fail CI at
pnpm install --frozen-lockfile:pnpm 11 enforces a 1-day supply-chain cooldown, but Renovate (
config:recommended) proposes bumps the same day a version publishes, so the lockfile entry is too new and the PR is dead on arrival.minimumReleaseAge: "3 days", clears pnpm's 1-day floor with margin.internalChecksFilter: "strict", holds a too-new update instead of opening a red PR.2. Flag deps compiled into the committed bundle
.github/actions/publish-preview/distis a committed artifact an external repo consumes by ref, so it must stay fresh. Only nanotar (bundled) and esbuild (the bundler) stale it. Renovate can't rebuild it here (Mend-hosted, no push token), so apackageRuleadds aneeds-bundle-rebuildlabel + a PR note telling the author to runpnpm build:actionand commit the dist. CI's "Verify action bundle" check stays the backstop for anything else.Config-only; no lockfile touched, so this PR's own CI is unaffected.