From 261df2188559487c0c12ecfd87b237e4e5100b00 Mon Sep 17 00:00:00 2001 From: MK Date: Wed, 1 Jul 2026 14:22:13 +0800 Subject: [PATCH 1/2] Renovate: wait out pnpm's minimum-release-age cooldown pnpm 11 enforces a 1-day supply-chain minimum-release-age on `pnpm install --frozen-lockfile`, but Renovate (config:recommended) proposes updates the day a version is published, so the too-new lockfile entry fails CI with ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION (e.g. #40 bumping wrangler). Set minimumReleaseAge to 3 days (clears the 1-day floor with margin) with internalChecksFilter=strict, so Renovate holds an update until it has aged past the cooldown instead of opening a PR that can only fail. --- renovate.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 5db72dd..8d18ac9 100644 --- a/renovate.json +++ b/renovate.json @@ -2,5 +2,10 @@ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:recommended" - ] + ], + "description": [ + "minimumReleaseAge keeps Renovate from proposing a version newer than pnpm's minimum-release-age cooldown. pnpm 11 enforces a 1-day supply-chain policy on `pnpm install --frozen-lockfile`, so a same-day bump writes a too-new lockfile entry and CI fails with ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION. 3 days clears the 1-day floor with margin. internalChecksFilter=strict holds such an update until it ages in, instead of opening a red PR." + ], + "minimumReleaseAge": "3 days", + "internalChecksFilter": "strict" } From c4c19d1015fca0f673254b0bbcb01e17a19e5285 Mon Sep 17 00:00:00 2001 From: MK Date: Wed, 1 Jul 2026 15:30:38 +0800 Subject: [PATCH 2/2] Renovate: flag bundle-affecting deps for a manual bundle rebuild nanotar (bundled) and esbuild (the bundler) compile into the committed publish-action bundle, which an external repo consumes by ref. Renovate can't rebuild it here (Mend-hosted, no push token), so label + PR-note bumps to those two so the dist is rebuilt (`pnpm build:action`) before merge. The CI "Verify action bundle" check remains the backstop for any missed dep. --- renovate.json | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 8d18ac9..98f54fb 100644 --- a/renovate.json +++ b/renovate.json @@ -7,5 +7,22 @@ "minimumReleaseAge keeps Renovate from proposing a version newer than pnpm's minimum-release-age cooldown. pnpm 11 enforces a 1-day supply-chain policy on `pnpm install --frozen-lockfile`, so a same-day bump writes a too-new lockfile entry and CI fails with ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION. 3 days clears the 1-day floor with margin. internalChecksFilter=strict holds such an update until it ages in, instead of opening a red PR." ], "minimumReleaseAge": "3 days", - "internalChecksFilter": "strict" + "internalChecksFilter": "strict", + "packageRules": [ + { + "description": [ + "nanotar (bundled) and esbuild (the bundler) are compiled into the committed publish-action bundle (.github/actions/publish-preview/dist), which CI rebuilds and diff-checks. A bump to either needs `pnpm build:action` re-run and the dist re-committed, so flag those PRs; the 'Verify action bundle' CI check is the backstop for anything else." + ], + "matchPackageNames": [ + "nanotar", + "esbuild" + ], + "addLabels": [ + "needs-bundle-rebuild" + ], + "prBodyNotes": [ + "⚠️ This dependency is compiled into the committed publish-action bundle. Run `pnpm build:action` and commit `.github/actions/publish-preview/dist` on this branch, or the \"Verify action bundle\" CI check will fail." + ] + } + ] }