When pull-request.yml contains
- name: Setup pnpm
uses: pnpm/action-setup@v3
with:
version: 9
The build and push action still installed an unpinned pnpm version. Not actually sure what it is since only npm is logged, but the ci had different behavior than local as a result (CI did the supply chain policy check when local didn't)
[44](https://github.com/satisfactorymodding/Documentation/actions/runs/26487807585/job/77998977322#step:6:250)
#13 [build 3/8] RUN npm install -g pnpm
#13 1.313
#13 1.313 added 1 package in 1s
#13 1.313
#13 1.314 1 package is looking for funding
#13 1.314 run `npm fund` for details
#13 1.316 npm notice
#13 1.316 npm notice New minor version of npm available! 11.13.0 -> 11.15.0
#13 1.316 npm notice Changelog: https://github.com/npm/cli/releases/tag/v11.15.0
#13 1.316 npm notice To update run: npm install -g npm@11.15.0
#13 1.316 npm notice
#13 DONE 1.4s
#16 [build 6/8] RUN pnpm install
#16 0.907 ? Verifying lockfile against supply-chain policies (499 entries)...
#16 2.594 ✗ Lockfile failed supply-chain policy check (499 entries in 1.6s)
When
pull-request.ymlcontainsThe build and push action still installed an unpinned pnpm version. Not actually sure what it is since only
npmis logged, but the ci had different behavior than local as a result (CI did the supply chain policy check when local didn't)