From 5ccb7aa7e34715f1031ce993e0c84a3d89aae0ff Mon Sep 17 00:00:00 2001 From: John McLear Date: Fri, 17 Apr 2026 13:45:03 +0100 Subject: [PATCH] ci: use --frozen-lockfile in the publish version bump MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The publish workflow ran a plain `pnpm i` before `pnpm version patch`. If the lockfile was even slightly out of sync with package.json (easy to happen when a dependency bump is merged via PR), that install updated pnpm-lock.yaml and left the working tree dirty. `pnpm version patch` silently declines to create a git tag in a dirty tree but still writes the new version into package.json, and the subsequent `git push --atomic vX.Y.Z` fails with: error: src refspec vX.Y.Z does not match any — blocking the publish. Using `--frozen-lockfile` keeps the tree clean; if the lockfile really is out of sync, the install fails loudly (which is what we want — the fix is to update the lockfile in a PR, not silently during publish). Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/npmpublish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/npmpublish.yml b/.github/workflows/npmpublish.yml index 34544a9..5b0abc9 100644 --- a/.github/workflows/npmpublish.yml +++ b/.github/workflows/npmpublish.yml @@ -59,7 +59,7 @@ jobs: [ "${NEW_COMMITS}" -gt 0 ] || exit 0 git config user.name 'github-actions[bot]' git config user.email '41898282+github-actions[bot]@users.noreply.github.com' - pnpm i + pnpm i --frozen-lockfile # `pnpm version patch` bumps package.json, makes a commit, and creates # a `v` tag. Capture the new tag name from package.json # rather than parsing pnpm's output, which has historically varied.