ci(cli): avoid disallowed pnpm action pin

[luanvdw]

Summary

• remove the pinned third-party pnpm/action-setup usage that violates the repo Actions allowlist
• install pnpm with Corepack inside the workflow instead
• keep GitHub-owned actions pinned and checkout credential persistence disabled

Why

The main push publish run failed at workflow startup because the enterprise policy allows pnpm/action-setup@v5, but not pnpm/action-setup pinned by commit SHA.

Validation

• workflow YAML parse
• git diff --check

[coderabbitai]

Warning

Review limit reached

@luanvdw, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 53 minutes and 33 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 358ab4d3-7178-441e-97df-0e311958a92e

📥 Commits

Reviewing files that changed from the base of the PR and between 7fe9200 and 09c4c19.

📒 Files selected for processing (2)

• .github/workflows/preview-cli-package.yml
• .github/workflows/publish-cli.yml

Walkthrough

This PR migrates GitHub Actions workflows from the pnpm/action-setup action to explicit Corepack-based pnpm setup commands. The preview and publish CLI workflows now enable Corepack and activate a pinned pnpm version (10.30.0) directly after Node setup, removing the external action dependency.

Changes

Corepack-based pnpm setup migration

Layer / File(s)	Summary
Corepack-based pnpm setup across CI workflows .github/workflows/preview-cli-package.yml, .github/workflows/publish-cli.yml	Preview workflow and both publish jobs (publish-dev, publish-official) replace pnpm/action-setup with corepack enable and corepack prepare pnpm@10.30.0 --activate, pinning pnpm version and removing external action dependency.

---

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically addresses the main change: removing the disallowed pinned pnpm action in CI workflows.
Description check	✅ Passed	The description is directly related to the changeset, explaining the rationale for replacing pnpm/action-setup with Corepack-based pnpm installation due to enterprise policy constraints.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ops/cli-release-flow-actions-policy

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch ops/cli-release-flow-actions-policy

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/preview-cli-package.yml:
- Around line 32-35: The workflow step named "Enable pnpm" currently hardcodes
corepack prepare pnpm@10.30.0; change it to extract the pnpm version from
package.json's packageManager field at runtime and use that value when calling
corepack prepare (e.g., set a PNPM_VERSION variable by parsing
require('./package.json').packageManager and then call corepack prepare
"pnpm@${PNPM_VERSION}" --activate) so the CI always matches package.json and
removes the duplicated hardcoded version.
- Around line 28-30: Restore pnpm dependency caching by inserting a new GitHub
Actions step after the existing "Enable pnpm" step and before "Install
dependencies": add a step named like "Cache pnpm store" that uses
actions/cache@v4, caches the pnpm store path (commonly
~/.local/share/pnpm/store), and sets a cache key based on runner OS and hash of
pnpm-lock.yaml with appropriate restore-keys; ensure the step runs after pnpm is
activated (so the pnpm store path exists) and verify the exact store path using
`pnpm store path` if your environment differs.

In @.github/workflows/publish-cli.yml:
- Around line 32-40: Add a cache step to restore the pnpm store in both
publish-dev and publish-official jobs: after the existing "Enable pnpm" step and
before the "Install dependencies" step, insert a step named like "Cache pnpm
store" that uses actions/cache@v4 to cache the pnpm store path (verify with
`pnpm store path`) keyed by runner OS and the lockfile (e.g.,
hashFiles('pnpm-lock.yaml')) with a restore-keys prefix; this restores
dependency caching lost by activating pnpm via Corepack and speeds CI restores.
- Around line 37-40: The workflow hardcodes the pnpm version in the corepack
prepare step (corepack prepare pnpm@10.30.0 --activate), causing duplication and
drift; update both occurrences to derive the pnpm version from package.json's
packageManager field at runtime (use a node one-liner to read package.json,
extract the pnpm semver from packageManager, and pass it into corepack prepare)
so the CI uses the packageManager-declared pnpm version consistently across
jobs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9b971241-d1ad-4c4a-ad42-ffc94873d259

📥 Commits

Reviewing files that changed from the base of the PR and between 186d3f2 and 7fe9200.

📒 Files selected for processing (2)

• .github/workflows/preview-cli-package.yml
• .github/workflows/publish-cli.yml