Skip to content

Add pnpm fixture + test-pnpm integration job#9

Merged
TomHennen merged 5 commits into
mainfrom
claude/setup-npm-fixture-1h6Sv
May 14, 2026
Merged

Add pnpm fixture + test-pnpm integration job#9
TomHennen merged 5 commits into
mainfrom
claude/setup-npm-fixture-1h6Sv

Conversation

@TomHennen
Copy link
Copy Markdown
Owner

@TomHennen TomHennen commented May 13, 2026

Summary

Pairs with TomHennen/wrangle#212 (pnpm support in the npm build type). Adds an integration fixture that exercises wrangle's new pnpm path end-to-end: Corepack-driven pnpm activation, pnpm install --frozen-lockfile, pnpm pack, SBOM, hash computation, SLSA generic provenance, slsa-verifier verification.

The fixture reuses the existing @tomhennen/wrangle-integration-fixture package name from npm/ so no new Trusted Publisher registration is needed on npmjs.com. Build-only — publish coverage already comes from test-npm against the same package.

What's in the diff

  • pnpm/package.json — same package name as npm/, with packageManager: "pnpm@9.15.4" to pin Corepack's pnpm download deterministically. Single ms@^2.1.3 dependency (matches npm/ for parity).
  • pnpm/index.js — single-line module.exports = require('ms'), mirroring npm/index.js.
  • pnpm/pnpm-lock.yaml — pnpm lockfile v9.0 with ms@2.1.3 pinned by integrity hash. Generated locally with pnpm 9.15.4 against the same ms version npm/package-lock.json pins, so the pnpm path exercises the same bytes through a different package manager.
  • .github/workflows/test-wrangle.yml.template — adds a test-pnpm job after test-npm. No prep step (no per-run version bump because we don't publish from this job). Permissions match test-npm (slsa-github-generator demands them at startup even when the upload-assets job is gated off).
  • Stale-state sync (npm/package.json repository field, container-no-verify/ files) — this branch forked before c88dc12 / 0fb46a4 landed on main. Synced them in the first commit on this PR so the visible diff is just the pnpm work, not spurious reverts. Functionally a no-op against main.

Security review

  • Lockfile-faithful install. pnpm install --frozen-lockfile aborts on lockfile drift. The lockfile pins ms@2.1.3 with the npm registry's integrity hash; pnpm refuses to install if the resolved bytes don't match.
  • No scripts field in package.json. Nothing for --ignore-scripts to suppress, no lifecycle hooks to attest. The L3 attestation binds purely to source bytes.
  • files: ["index.js"] restricts what pnpm pack includes. No accidental inclusion of node_modules/, scripts, dotfiles, etc.
  • packageManager: "pnpm@9.15.4" — Corepack downloads pnpm from the npm registry on first activation and verifies it against the registry's signed metadata. Same trust chain as npm install. Bumping pnpm requires regenerating the lockfile.
  • No publish step in test-pnpm. No NPM_TOKEN, no OIDC handshake, no id-token: write consumption beyond what slsa-github-generator needs internally. Doubling up the publish from two jobs on the same package name in one run would race for the same --tag integration version — keeping it build-only is the safe shape.
  • No secrets: block on test-pnpm. Doesn't inherit caller secrets it doesn't need.
  • No ref: input. test-pnpm reads github.sha (the triggering commit) — pnpm/ isn't rewritten by any prep job, so we want the original triggering SHA, which is wrangle's npm reusable workflow default when ref is empty.
  • packageManager field is the only thing Corepack needs from the adopter. No pnpm .npmrc or environment overrides shipped. Means an adopter cloning this fixture as a template gets the same trust shape.

Test plan

  • CI on this PR (check-change scan): zizmor + osv clean.
  • Dispatch (manually or via the wrangle dispatch script) an integration run with this branch against wrangle's claude/v0.2-pnpm-support branch (= PR v0.2: pnpm support in npm build type (single-package only) wrangle#212) — confirm test-pnpm passes end-to-end.
  • Confirm test-pnpm skips publish (no publish-pnpm job exists) and the published @tomhennen/wrangle-integration-fixture@integration versions only come from publish-npm.

Related

https://claude.ai/code/session_01AqkojrFQsx5CgHGndN96E2

Generated by Claude Code

TomHennen and others added 5 commits May 4, 2026 13:58
@TomHennen
Add npm fixture and test-npm job for wrangle integration tests
b0bf313 
The npm fixture mirrors the existing python/ and container/ shape:
a single-package, no-dependency project that exercises wrangle's
build_and_publish_npm.yml end-to-end (build, SBOM, hash, gate,
provenance, verify). Publish is intentionally NOT wired up — npm
Trusted Publishing cannot mint a package's first version
(npm/cli#8544) and the trusted publisher needs to be registered on
npmjs.com first. Both are human-only bootstrap steps.

The package-lock.json is hand-written (lockfileVersion 3, no deps) so
no npm install is needed. The package name is the stable name we'll
eventually register Trusted Publishing against.
@TomHennen
Add ms dependency to npm fixture for SBOM/npm-ci coverage
1a2152f 
Without a dep, npm ci is a no-op and the syft SBOM only sees the
root package, so we're not actually exercising those code paths.
ms@2.1.3 is a stable, zero-transitive-dep, ~5KB pure-JS package
(no native code) — enough to make the SBOM meaningful and verify
npm ci installs from the lockfile, without dragging in a dep tree
that adds lockfile churn.

Lockfile generated by `npm install` (npm 10.9.7 / node v22.22.2).
@TomHennen
Add pnpm fixture and test-pnpm integration job
17f55be 
Adds a parallel pnpm/ fixture exercising wrangle's pnpm tooling branch
end-to-end through build_and_publish_npm.yml: Corepack-driven pnpm
activation, `pnpm install --frozen-lockfile`, `pnpm pack`, SBOM, hash
computation, SLSA generic provenance, and slsa-verifier verification.

The pnpm fixture reuses the existing @tomhennen/wrangle-integration-fixture
package name so no new Trusted Publisher registration is needed on
npmjs.com. It's intentionally build-only — publish-to-npmjs.org is
already covered by test-npm via the same package name, and doing the
publish twice in one run would race on the `--tag integration`
version. Mirrors test-python-uv's "double up coverage on one fixture"
pattern (uv tooling + verify-opt-out on a single fixture).

The lockfile is generated by pnpm 9.15.4 against ms@2.1.3 — same
single zero-transitive-dep package as npm/, so the pnpm path
exercises the same SBOM/integrity machinery as the npm path. The
`packageManager` field pins the pnpm version Corepack activates
deterministically.

Pairs with TomHennen/wrangle#212 (pnpm support in the npm build type).
@TomHennen
Sync stale branch state to main (no-op for the pnpm PR diff)
c7615b3 
The npm/package.json on this branch is missing the repository field
added on main in c88dc12 (Trusted Publishing provenance check
requires it), and the container-no-verify/ fixture added on main in
0fb46a4 isn't here either. Both predate the pnpm work but were absent
because this branch forked before they landed.

Pushing main's current content for these paths avoids the pnpm PR
diff showing spurious "reverts" of those changes.
@TomHennen
Merge remote-tracking branch 'origin/main' into claude/setup-npm-fixt…
060bef8 
…ure-1h6Sv

# Conflicts:
#	.github/workflows/test-wrangle.yml.template
#	container-no-verify/app.sh
@TomHennen TomHennen merged commit 6e393a3 into main May 14, 2026
1 check passed
@TomHennen TomHennen deleted the claude/setup-npm-fixture-1h6Sv branch May 14, 2026 01:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TomHennen