Use CI-appropriate package manager commands (npm ci, etc.) #396
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Changes the frontend action to use CI-optimized commands that automatically fail if lock files are out of sync with package.json: - npm: Use 'npm ci' instead of 'npm install' - pnpm: Use 'pnpm install --frozen-lockfile' - yarn: Use 'yarn install --frozen-lockfile' Benefits: - Faster installs (skips dependency resolution) - Stricter checks (fails on lock file drift automatically) - Cleaner installs (npm ci removes node_modules first) - CI best practice (using commands designed for CI) This prevents silent dependency changes and ensures consistent builds across all environments without requiring a separate drift check step.
github-project-automation
bot
moved this to 📬 Triage
in Plugins Platform / Grafana Community
|
|
grafana-plugins-platform-bot
bot
moved this from 📬 Triage
to 🔬 In review
in Plugins Platform / Grafana Community
Author
|
Gonna close this. the drift was just in Metadata updates like "peer": true" or engine requirements , not a real incompatibility I think |
github-project-automation
bot
moved this from 🔬 In review
to 🚀 Shipped
in Plugins Platform / Grafana Community
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Warning⚠️ - developed by a GenAI agent
I (Sam) didn't write this code, nor this PR description! But I did get here from experiencing the issue myself, on a datasource I've been working on where Renovate has been making PRs. Each of those PRs was passing CI when I merged them, and yet I found drift on my
package-lock.jsonfile today.What this PR does
This PR updates the frontend action to use CI-appropriate package manager commands that automatically enforce lock file consistency.
Changes
Updates
actions/internal/plugins/frontend/pm.shto use CI-optimized install commands:npm ciinstead ofnpm installpnpm install --frozen-lockfileyarn install --frozen-lockfileWhy this is needed
Currently, CI runs standard install commands (
npm install, etc.) which don't fail if lock files are out of sync withpackage.json. This can allow drift to slip through, causing:Benefits of this approach
package.jsonnpm ciremovesnode_modulesfirst for a fresh installTesting
The CI-appropriate commands are well-established best practices:
npm cihas been the recommended CI command since npm 5.7.0 (2018)--frozen-lockfileis the standard flag for pnpm and yarn in CIThis change should be backward compatible - existing plugins will see faster, stricter installs.
Draft Status
Opening as draft to gather feedback on this approach before merging.