Skip to content

chore(pacquet): wire pacquet workflows into monorepo#11635

Merged
zkochan merged 6 commits into
mainfrom
pacquet-flatten
May 14, 2026
Merged

chore(pacquet): wire pacquet workflows into monorepo#11635
zkochan merged 6 commits into
mainfrom
pacquet-flatten

Conversation

@zkochan

@zkochan zkochan commented May 14, 2026

Copy link
Copy Markdown
Member

Summary

Followup to #11632 (the pacquet history import). Makes the imported pacquet
workflows actually run, and moves the Rust workspace files out of
pacquet/ and up to the repo root so cargo / just / taplo behave
like the rest of the monorepo's tooling — invoked from the repo root, not
a nested subdir.

What moves to the repo root

  • Cargo workspace: Cargo.toml, Cargo.lock
  • Rust toolchain & lint configs: rust-toolchain.toml, rustfmt.toml, deny.toml, dylint.toml
  • TOML formatter / spell-check: .taplo.toml, .typos.toml
  • Cargo aliases: .cargo/config.toml
  • Recipes: justfile
  • Composite actions: .github/actions/rustup/, .github/actions/binstall/
  • 7 workflows: .github/workflows/pacquet-*.yml (prefixed to avoid the ci.yml collision)

What stays under pacquet/

crates/, tasks/, benchmark/, npm/, plans/, .githooks/, package.json,
pnpm-lock.yaml, docs (AGENTS.md, CLAUDE.md, GEMINI.md, README.md,
CONTRIBUTING.md, CODE_STYLE_GUIDE.md, LICENSE), .gitignore,
.editorconfig, .gitattributes, .devcontainer/.

Path rewrites required by the move

  • Cargo.toml workspace members: crates/*, tasks/*pacquet/crates/*, pacquet/tasks/*
  • Every path = "crates/..." in [workspace.dependencies]pacquet/...
  • justfile recipes install and install-hooks now point at pacquet/...
  • .taplo.toml include globs → pacquet/crates/*/*.toml, pacquet/tasks/*/*.toml
  • pacquet/npm/pacquet/scripts/generate-packages.mjs REPO_ROOT walks one more
    level up (../.. instead of ..)
  • Workflow paths: filters scoped to pacquet/** and the moved root configs so
    CI doesn't fire on every commit
  • Workflow hashFiles(...) and shell paths (tasks/..., npm/...) updated
  • .github/dependabot.yml (root) gains a cargo ecosystem entry, merged from
    pacquet's standalone dependabot.yml
  • .github/CODEOWNERS (root) already covers * @zkochan, so pacquet's copy is
    dropped. Pacquet's pull_request_template.md is dropped too — it referenced
    the standalone repo's roadmap, and GitHub only honors one template at the
    repo level.
  • Root .gitignore gains /target, /bench-work-env, .pacquet so the new
    cargo build location is ignored

Rust source path fixes

Two Rust sources looked up paths off the cargo workspace root, which now
resolves to the monorepo root rather than pacquet/. Both prefixed with
pacquet/:

  • pacquet/tasks/registry-mock/src/dirs.rsregistry_mock() was sending
    the node launcher at <repo>/tasks/registry-mock/launch.mjs instead of
    <repo>/pacquet/tasks/.... Failed Pacquet CI on all 3 OSes with
    "Cannot find module ...launch.mjs".
  • pacquet/tasks/micro-benchmark/src/main.rs — same pattern for the fixtures
    folder.

Workflow rename map

Old file (under pacquet/.github/workflows/) New file New name:
ci.yml pacquet-ci.yml Pacquet CI
cargo-unused.yml pacquet-cargo-unused.yml Pacquet Cargo Unused Features
codecov.yml pacquet-codecov.yml Pacquet Code Coverage
integrated-benchmark.yml pacquet-integrated-benchmark.yml Pacquet Integrated-Benchmark
integrated-benchmark-comment.yml pacquet-integrated-benchmark-comment.yml Pacquet Integrated-Benchmark Comment
micro-benchmark.yml pacquet-micro-benchmark.yml Pacquet Micro-Benchmark
release-to-npm.yml pacquet-release-to-npm.yml Release Pacquet (already had Pacquet in it)

The integrated-benchmark-comment workflow's workflow_run.workflows: reference
was updated to Pacquet Integrated-Benchmark so the two-stage pipeline still
chains.

Workflow setup aligned with the rest of pnpm/pnpm

  • Migrated all four pacquet workflows that install pnpm from
    pnpm/action-setup@v6 to pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
    — the same SHA pin every other pnpm/pnpm workflow uses.
  • Dropped the version: 11.0.0-rc.5 pin (a pacquet-era workaround for v9
    lockfile during pre-release); pnpm/setup reads from packageManager in the
    root package.json instead.
  • Set install: false so pnpm/setup doesn't trigger a root-workspace install —
    pacquet still scopes installs via just install, which only touches
    pacquet/tasks/registry-mock/.
  • The release workflow now uses pnpm/setup's runtime: node@22 instead of a
    separate "Setup Node" step that ran pnpm runtime -g set node 22.

Security / linter cleanup

  • .github/dependabot.yml cargo entry gains cooldown: default-days: 7 to
    match the github-actions entry (zizmor: insufficient cooldown).
  • pacquet-ci.yml, pacquet-codecov.yml, pacquet-cargo-unused.yml gain
    top-level permissions: contents: read (zizmor: overly broad permissions).
    The other four pacquet workflows already declare permissions explicitly.
  • cspell.json gains "reimagining" — pacquet's READMEs describe pacquet
    as "not a reimagining of pnpm" and cspell scans **/README.md at the root.

Verification

  • cargo metadata --no-deps resolves the workspace from the repo root — all 24
    pacquet crates + 3 tasks present.
  • cargo fmt --all -- --check clean.
  • taplo format --check picks up all 26 Cargo.toml files and reports no
    reformatting.
  • python3 -c 'yaml.safe_load(...)' parses all 7 workflow files.
  • actionlint reports no new findings — the type:-on-composite-action-input
    warnings on the rustup action are pre-existing (they were on the imported
    files before this PR).
  • pnpm dlx cspell pacquet/README.md pacquet/npm/pacquet/README.md passes
    after adding "reimagining" to the dictionary.

Known-failing CI on this PR

  • Pacquet Micro-Benchmark / Run benchmark on ubuntu-latest — chicken-and-egg.
    The workflow checks out main first to bench the baseline, then runs
    ./.github/actions/rustup — but main doesn't have .github/actions/rustup
    yet (this PR is what introduces it). Resolves itself the moment this PR
    merges; every subsequent PR works.
  • Pacquet Code Coverage / Upload coverage filesecrets.CODECOV_TOKEN
    is not set on pnpm/pnpm. The first stage (Code Coverage — running
    cargo llvm-cov and uploading lcov.info as a GitHub artifact) succeeds;
    only the codecov.io upload step fails. Requires the user to either add the
    CODECOV_TOKEN secret, reconfigure codecov to use a monorepo-level project,
    or disable the workflow until coverage tracking is decided.

Out of scope (followups)

  • Release workflow triggers on pacquet/npm/pacquet/package.json push to main
    and would create a GitHub release on pnpm/pnpm. May want to gate it
    behind a manual approval or move the release to a separate repo — left as-is.
  • The nested pacquet/pnpm-lock.yaml (for the tasks/registry-mock JS
    workspace) is still pnpm-installed via just install rather than
    participating in the root pnpm-workspace.yaml. Folding that in is its
    own decision.

Test plan

  • CI: Pacquet CI (Lint and Test ubuntu/macos/windows) runs and passes.
  • CI: Pacquet Code Coverage / Code Coverage stage runs and passes (the
    upload stage is blocked on CODECOV_TOKEN — see Known-failing).
  • cargo metadata resolves workspace locally.
  • Manual: cargo build -p pacquet-cli from repo root succeeds locally.
  • Manual: just install from repo root populates
    pacquet/tasks/registry-mock/node_modules.

Written by an agent (Claude Code, claude-opus-4-7).

Move Cargo workspace, Rust toolchain configs, justfile, composite actions,
and 7 workflow files out of `pacquet/` and up to the repo root so:

  - cargo / just / taplo run from repo root, the way the rest of the
    monorepo's tooling does
  - GitHub Actions actually discovers the workflows (it only reads
    `.github/workflows/` at the repo root)

Workflows are prefixed with `pacquet-` and renamed to "Pacquet ..." so
they don't collide with the existing pnpm CI. Path filters are scoped
to `pacquet/**` so they don't trigger on every commit. The cargo entry
from pacquet's standalone `dependabot.yml` is folded into the root one;
pacquet's `CODEOWNERS` and `pull_request_template.md` are dropped because
the root copies supersede them.

Path rewrites:
  - `Cargo.toml` workspace members → `pacquet/crates/*`, `pacquet/tasks/*`
  - all path-deps in `[workspace.dependencies]` → `pacquet/...`
  - `justfile` recipes (`install`, `install-hooks`) point at `pacquet/...`
  - `.taplo.toml` include globs → `pacquet/crates/*/*.toml`, `pacquet/tasks/*/*.toml`
  - `pacquet/npm/pacquet/scripts/generate-packages.mjs` REPO_ROOT walks one
    more level up
  - workflow `paths:` filters, `hashFiles(...)`, and shell paths all updated

Verified: `cargo metadata` resolves the workspace, `cargo fmt --check`
clean, `taplo format --check` picks up all 26 Cargo.tomls, `actionlint`
reports no new issues (the `type:`-on-input warnings on the rustup action
predate this move).
Copilot AI review requested due to automatic review settings May 14, 2026 15:43
@coderabbitai

coderabbitai Bot commented May 14, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Repository layout and CI were moved under a pacquet/ subtree: workspace members, local crate paths, scripts, git hooks, tooling globs, ignores, and many workflow triggers were updated to use pacquet/ paths; nested pacquet/.github dependabot and PR template were removed and a root Dependabot cargo entry added.

Changes

Workspace, tooling, packaging, and repo layout

Layer / File(s) Summary
Workspace members & local crate paths
Cargo.toml
Workspace members changed to ["pacquet/crates/*","pacquet/tasks/*"]; [workspace.dependencies] local path entries updated to pacquet/crates/... and pacquet/tasks/....
Tooling include globs
.taplo.toml
Include globs switched from crates/*/tasks/* to pacquet/crates/* and pacquet/tasks/*.
Git hooks & install task
justfile
install-hooks now sets core.hooksPath to pacquet/.githooks; install runs pnpm from pacquet/tasks/registry-mock/.
Ignore pacquet artifacts
.gitignore
Added /target, /bench-work-env, and .pacquet ignore entries at repo root.
Package generation path
pacquet/npm/pacquet/scripts/generate-packages.mjs
REPO_ROOT resolution adjusted to a different parent level, changing the source path used when copying native binaries during package generation.
Registry-mock & fixture paths
pacquet/tasks/registry-mock/src/dirs.rs, pacquet/tasks/micro-benchmark/src/main.rs
Paths resolving registry-mock and micro-benchmark fixtures were changed to use pacquet/tasks/... instead of top-level tasks/....

CI, workflows, and Dependabot

Layer / File(s) Summary
Workflow renames & trigger scoping
.github/workflows/pacquet-ci.yml, .github/workflows/pacquet-codecov.yml, .github/workflows/pacquet-micro-benchmark.yml, .github/workflows/pacquet-integrated-benchmark.yml, .github/workflows/pacquet-cargo-unused.yml, .github/workflows/pacquet-integrated-benchmark-comment.yml
Multiple workflow name: values prefixed with Pacquet; pull_request/push triggers narrowed to pacquet/** and specific repo files; a workflow_run trigger updated to reference the renamed workflow.
pnpm action modernization
.github/workflows/* (multiple files)
Replaced pnpm/action-setup@v6 usages with pnpm/setup@<pinned-sha> and set install: false in several workflows (test, codecov, integrated-benchmark, release-to-npm).
Release-to-NPM path & publish loop
.github/workflows/pacquet-release-to-npm.yml, pacquet/npm/pacquet/scripts/generate-packages.mjs
push.paths and version-check inputs updated to pacquet/npm/pacquet/package.json; package generation and publish loops updated to iterate pacquet/npm/pacquet* packages.
Dependabot consolidation
.github/dependabot.yml, pacquet/.github/dependabot.yml
Added a root Dependabot cargo updates entry (weekly, commit-message prefix chore(cargo)) and removed the nested pacquet/.github/dependabot.yml.
CODEOWNERS & PR template removal
pacquet/.github/CODEOWNERS, pacquet/.github/pull_request_template.md
Removed @zkochan entry from pacquet/.github/CODEOWNERS; deleted pacquet/.github/pull_request_template.md.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

  • pnpm/pnpm#11589: Similar CI change switching from pnpm/action-setup to pnpm/setup with install: false.

Poem

🐰
I nibbled paths and nudged the tree, moved hooks and workflows under me.
Dependabot hopped to root so neat, fixtures found their proper street.
A tidy burrow, order kept — a rabbit's job, well planned and lept.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: wiring pacquet workflows into the monorepo by reorganizing workspace structure and updating configurations.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch pacquet-flatten

Comment @coderabbitai help to get the list of available commands and usage tips.

Comment thread .github/dependabot.yml Fixed

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

zkochan added 2 commits May 14, 2026 17:46
The monorepo's root `package.json` declares `pnpm@11.1.1` under
`packageManager`, which conflicts with the workflows' explicit
`version: 11.0.0-rc.5` and trips `pnpm/action-setup` ERR_PNPM_BAD_PM_VERSION.

The pin was a pacquet-era workaround for the v9 lockfile while pnpm 11
was still pre-release. Stable 11.x writes v9 too, so let action-setup
read the version from `packageManager` like every other workflow in
this repo does.
Replaces `pnpm/action-setup@v6` with the same `pnpm/setup@b1cac3...`
SHA the rest of pnpm/pnpm uses (release.yml, test.yml, ci.yml,
benchmark.yml, audit.yml). Reads pnpm version from `packageManager`
in root package.json, and skips the implicit `pnpm install` since
pacquet does its own scoped install via `just install` (which only
touches `pacquet/tasks/registry-mock/`).

The release workflow now also installs Node via the same action
(`runtime: node@22`) instead of via `pnpm runtime -g set node 22`,
since pnpm/setup handles runtimes in one step.
Copilot AI review requested due to automatic review settings May 14, 2026 15:47

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/dependabot.yml (1)

16-21: ⚡ Quick win

Add cooldown for cargo updates to match the GitHub Actions updater and reduce PR volume.

The cargo updater (lines 16–21) runs weekly without cooldown, while the GitHub Actions updater (lines 6–15) includes cooldown.default-days: 7. Adding the same cooldown to cargo ensures consistent throttling of version updates across both package managers.

Suggested patch
   - package-ecosystem: cargo
     directory: /
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 7
     commit-message:
       prefix: "chore(cargo)"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/dependabot.yml around lines 16 - 21, The cargo updater block
currently lacks a cooldown and should include the same cooldown used by the
GitHub Actions updater; update the cargo package-ecosystem section in
.github/dependabot.yml (the block with "package-ecosystem: cargo", "directory:
/", "schedule: weekly") to add a cooldown setting, e.g. add "updates:" → "  -
package-ecosystem: cargo" style equivalent or directly add "cooldown:" with " 
default-days: 7" under the cargo configuration so cargo Dependabot respects a
7-day cooldown like the actions updater.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pacquet-ci.yml:
- Around line 1-3: Add an explicit top-level permissions block for the
GITHUB_TOKEN by adding a permissions: section with contents: read so the
workflow uses least-privilege tokens instead of repo defaults; update the
workflow named "Pacquet CI" (affects jobs like test, doc, typos, deny, format,
dylint) to include this permissions block at the top of the YAML file right
under the workflow name/trigger definition.

---

Nitpick comments:
In @.github/dependabot.yml:
- Around line 16-21: The cargo updater block currently lacks a cooldown and
should include the same cooldown used by the GitHub Actions updater; update the
cargo package-ecosystem section in .github/dependabot.yml (the block with
"package-ecosystem: cargo", "directory: /", "schedule: weekly") to add a
cooldown setting, e.g. add "updates:" → "  - package-ecosystem: cargo" style
equivalent or directly add "cooldown:" with "  default-days: 7" under the cargo
configuration so cargo Dependabot respects a 7-day cooldown like the actions
updater.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: e9b44ddf-36d1-4338-ba85-f6d04f0309a3

📥 Commits

Reviewing files that changed from the base of the PR and between 4a89b06 and 2973d56.

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (24)
  • .cargo/config.toml
  • .github/actions/binstall/action.yml
  • .github/actions/rustup/action.yml
  • .github/dependabot.yml
  • .github/workflows/pacquet-cargo-unused.yml
  • .github/workflows/pacquet-ci.yml
  • .github/workflows/pacquet-codecov.yml
  • .github/workflows/pacquet-integrated-benchmark-comment.yml
  • .github/workflows/pacquet-integrated-benchmark.yml
  • .github/workflows/pacquet-micro-benchmark.yml
  • .github/workflows/pacquet-release-to-npm.yml
  • .gitignore
  • .taplo.toml
  • .typos.toml
  • Cargo.toml
  • deny.toml
  • dylint.toml
  • justfile
  • pacquet/.github/CODEOWNERS
  • pacquet/.github/dependabot.yml
  • pacquet/.github/pull_request_template.md
  • pacquet/npm/pacquet/scripts/generate-packages.mjs
  • rust-toolchain.toml
  • rustfmt.toml
💤 Files with no reviewable changes (3)
  • pacquet/.github/pull_request_template.md
  • pacquet/.github/CODEOWNERS
  • pacquet/.github/dependabot.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: copilot-pull-request-reviewer
  • GitHub Check: Dylint
  • GitHub Check: Analyze (javascript)
  • GitHub Check: Compile & Lint
🧰 Additional context used
🪛 GitHub Check: zizmor
.github/workflows/pacquet-cargo-unused.yml

[warning] 4-51:
overly broad permissions

.github/workflows/pacquet-codecov.yml

[warning] 3-107:
overly broad permissions

.github/dependabot.yml

[warning] 16-16:
insufficient cooldown in Dependabot updates

.github/workflows/pacquet-ci.yml

[warning] 1-253:
overly broad permissions

🔇 Additional comments (12)
Cargo.toml (1)

3-3: LGTM!

Also applies to: 16-40

.gitignore (1)

60-63: LGTM!

.taplo.toml (1)

1-1: LGTM!

pacquet/npm/pacquet/scripts/generate-packages.mjs (1)

10-10: LGTM!

.github/workflows/pacquet-cargo-unused.yml (1)

4-4: LGTM!

.github/workflows/pacquet-codecov.yml (1)

3-3: LGTM!

Also applies to: 10-10, 15-15

.github/workflows/pacquet-ci.yml (1)

7-39: LGTM!

Also applies to: 134-134

.github/workflows/pacquet-release-to-npm.yml (1)

3-3: LGTM!

Also applies to: 10-10, 32-32, 171-173, 182-182

.github/workflows/pacquet-integrated-benchmark.yml (1)

1-1: LGTM!

Also applies to: 8-10, 14-20, 72-72, 114-114

.github/workflows/pacquet-integrated-benchmark-comment.yml (1)

1-1: LGTM!

Also applies to: 3-4, 13-13

justfile (1)

18-18: LGTM!

Also applies to: 20-20, 38-38

.github/workflows/pacquet-micro-benchmark.yml (1)

1-1: LGTM!

Also applies to: 8-10, 13-17

Comment thread .github/workflows/pacquet-ci.yml

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Address zizmor warnings on the pacquet CI changes:

  - `dependabot.yml`: the cargo entry I added in the previous commit
    inherited from pacquet's standalone repo and is missing the
    `cooldown: default-days: 7` the github-actions entry uses. Add it
    so cargo and github-actions debounce updates consistently.

  - `pacquet-ci.yml`, `pacquet-codecov.yml`, `pacquet-cargo-unused.yml`
    lacked a top-level `permissions:` block, so GITHUB_TOKEN inherited
    the repo default. Declare `contents: read` — every job in these
    workflows only reads the repo and runs local checks.

The other four pacquet workflows already declare permissions
explicitly (integrated-benchmark/comment, micro-benchmark, release).

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pacquet-codecov.yml:
- Around line 3-6: The workflow "Pacquet Code Coverage" currently lacks a
top-level permissions block, so GITHUB_TOKEN inherits repo defaults; add an
explicit minimal permissions block (e.g., set contents: read) at top level
beneath the workflow name to grant only the least-privilege access needed for
this job triggered by workflow_dispatch; ensure the new permissions block
appears alongside "name: Pacquet Code Coverage" and "on: workflow_dispatch" so
the workflow runs with explicit read-only token scope.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: a35a03f6-89c2-4c3a-9601-990c9d7ce00d

📥 Commits

Reviewing files that changed from the base of the PR and between 2973d56 and 4b98768.

📒 Files selected for processing (4)
  • .github/workflows/pacquet-ci.yml
  • .github/workflows/pacquet-codecov.yml
  • .github/workflows/pacquet-integrated-benchmark.yml
  • .github/workflows/pacquet-release-to-npm.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)
  • GitHub Check: Run benchmark on ubuntu-latest
  • GitHub Check: Lint and Test (ubuntu-latest)
  • GitHub Check: Lint and Test (windows-latest)
  • GitHub Check: Lint and Test (macos-latest)
  • GitHub Check: Dylint
  • GitHub Check: Compile & Lint
🧰 Additional context used
🪛 GitHub Check: zizmor
.github/workflows/pacquet-ci.yml

[warning] 1-249:
overly broad permissions

.github/workflows/pacquet-codecov.yml

[warning] 3-103:
overly broad permissions

🔇 Additional comments (5)
.github/workflows/pacquet-ci.yml (2)

1-3: Duplicate: missing explicit top-level workflow permissions.

This was already flagged in prior review comments and still appears unresolved.


7-39: LGTM!

Also applies to: 66-68, 130-130

.github/workflows/pacquet-codecov.yml (1)

10-15: LGTM!

Also applies to: 44-46

.github/workflows/pacquet-release-to-npm.yml (1)

3-3: LGTM!

Also applies to: 10-10, 32-32, 142-147, 164-167, 175-177

.github/workflows/pacquet-integrated-benchmark.yml (1)

1-1: LGTM!

Also applies to: 8-10, 14-20, 72-72, 103-105, 110-110

Comment thread .github/workflows/pacquet-codecov.yml
cspell at the repo root scans all `**/README.md` and was rejecting
`pacquet/README.md` and `pacquet/npm/pacquet/README.md`, which describe
pacquet as "not a reimagining of pnpm." Add the word to the existing
allow-list rather than rewording two READMEs imported from a separate
repo.
Copilot AI review requested due to automatic review settings May 14, 2026 15:52

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Two Rust source files looked up paths off the cargo workspace root
(\`cargo locate-project --workspace\`), which now resolves to the
monorepo root rather than the pacquet directory. Add the \`pacquet/\`
prefix:

  - \`tasks/registry-mock/src/dirs.rs\` — \`registry_mock()\` was
    pointing the node launcher at \`<repo>/tasks/registry-mock/launch.mjs\`
    instead of \`<repo>/pacquet/tasks/registry-mock/launch.mjs\`, which
    failed every Pacquet CI test job ("Cannot find module ...launch.mjs").
  - \`tasks/micro-benchmark/src/main.rs\` — same idea for the
    fixtures folder.
@codecov-commenter

Copy link
Copy Markdown

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️

@zkochan zkochan merged commit 763ddf1 into main May 14, 2026
27 of 30 checks passed
@zkochan zkochan deleted the pacquet-flatten branch May 14, 2026 16:17
github-actions Bot pushed a commit to Eyalm321/pnpm that referenced this pull request May 18, 2026
* chore(pacquet): wire pacquet workflows into monorepo

Move Cargo workspace, Rust toolchain configs, justfile, composite actions,
and 7 workflow files out of `pacquet/` and up to the repo root so:

  - cargo / just / taplo run from repo root, the way the rest of the
    monorepo's tooling does
  - GitHub Actions actually discovers the workflows (it only reads
    `.github/workflows/` at the repo root)

Workflows are prefixed with `pacquet-` and renamed to "Pacquet ..." so
they don't collide with the existing pnpm CI. Path filters are scoped
to `pacquet/**` so they don't trigger on every commit. The cargo entry
from pacquet's standalone `dependabot.yml` is folded into the root one;
pacquet's `CODEOWNERS` and `pull_request_template.md` are dropped because
the root copies supersede them.

Path rewrites:
  - `Cargo.toml` workspace members → `pacquet/crates/*`, `pacquet/tasks/*`
  - all path-deps in `[workspace.dependencies]` → `pacquet/...`
  - `justfile` recipes (`install`, `install-hooks`) point at `pacquet/...`
  - `.taplo.toml` include globs → `pacquet/crates/*/*.toml`, `pacquet/tasks/*/*.toml`
  - `pacquet/npm/pacquet/scripts/generate-packages.mjs` REPO_ROOT walks one
    more level up
  - workflow `paths:` filters, `hashFiles(...)`, and shell paths all updated

Verified: `cargo metadata` resolves the workspace, `cargo fmt --check`
clean, `taplo format --check` picks up all 26 Cargo.tomls, `actionlint`
reports no new issues (the `type:`-on-input warnings on the rustup action
predate this move).

* chore(pacquet): drop pnpm version pin from pacquet CI workflows

The monorepo's root `package.json` declares `pnpm@11.1.1` under
`packageManager`, which conflicts with the workflows' explicit
`version: 11.0.0-rc.5` and trips `pnpm/action-setup` ERR_PNPM_BAD_PM_VERSION.

The pin was a pacquet-era workaround for the v9 lockfile while pnpm 11
was still pre-release. Stable 11.x writes v9 too, so let action-setup
read the version from `packageManager` like every other workflow in
this repo does.

* chore(pacquet): use pnpm/setup matching the rest of the monorepo

Replaces `pnpm/action-setup@v6` with the same `pnpm/setup@b1cac3...`
SHA the rest of pnpm/pnpm uses (release.yml, test.yml, ci.yml,
benchmark.yml, audit.yml). Reads pnpm version from `packageManager`
in root package.json, and skips the implicit `pnpm install` since
pacquet does its own scoped install via `just install` (which only
touches `pacquet/tasks/registry-mock/`).

The release workflow now also installs Node via the same action
(`runtime: node@22`) instead of via `pnpm runtime -g set node 22`,
since pnpm/setup handles runtimes in one step.

* chore(pacquet): tighten permissions and Dependabot cooldown

Address zizmor warnings on the pacquet CI changes:

  - `dependabot.yml`: the cargo entry I added in the previous commit
    inherited from pacquet's standalone repo and is missing the
    `cooldown: default-days: 7` the github-actions entry uses. Add it
    so cargo and github-actions debounce updates consistently.

  - `pacquet-ci.yml`, `pacquet-codecov.yml`, `pacquet-cargo-unused.yml`
    lacked a top-level `permissions:` block, so GITHUB_TOKEN inherited
    the repo default. Declare `contents: read` — every job in these
    workflows only reads the repo and runs local checks.

The other four pacquet workflows already declare permissions
explicitly (integrated-benchmark/comment, micro-benchmark, release).

* chore(pacquet): add "reimagining" to cspell dictionary

cspell at the repo root scans all `**/README.md` and was rejecting
`pacquet/README.md` and `pacquet/npm/pacquet/README.md`, which describe
pacquet as "not a reimagining of pnpm." Add the word to the existing
allow-list rather than rewording two READMEs imported from a separate
repo.

* fix(pacquet): prefix workspace-relative paths with pacquet/

Two Rust source files looked up paths off the cargo workspace root
(\`cargo locate-project --workspace\`), which now resolves to the
monorepo root rather than the pacquet directory. Add the \`pacquet/\`
prefix:

  - \`tasks/registry-mock/src/dirs.rs\` — \`registry_mock()\` was
    pointing the node launcher at \`<repo>/tasks/registry-mock/launch.mjs\`
    instead of \`<repo>/pacquet/tasks/registry-mock/launch.mjs\`, which
    failed every Pacquet CI test job ("Cannot find module ...launch.mjs").
  - \`tasks/micro-benchmark/src/main.rs\` — same idea for the
    fixtures folder.
@coderabbitai coderabbitai Bot mentioned this pull request Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants