feat: add pnpm-build action

README.md

@@ -10,6 +10,7 @@ Shared actions for Forgejo CI/CD pipelines.
 | [aikido-pr-scan](aikido-pr-scan) | Aikido PR scan |
 | [aws-configure](aws-configure) | Authenticate with AWS via OIDC |
 | [checkout](checkout) | Action for checking out a repository |
+| [pnpm-build](pnpm-build) | Action for building and validating with PNPM |
 
 
 ## Security

pnpm-build/README.md

@@ -0,0 +1,30 @@
+# pnpm-build
+
+Action for building and validating with PNPM.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `working-directory` | No | `.` | Directory containing `package.json` |
+| `node-version` | No | `24` | Node.js version |
+| `pnpm-version` | No | `10.33` | pnpm version |
+| `jfrog-token` | No | `""` | JFrog npm auth token for the Artifactory registry |
+| `run-scripts` | No | `ci,typecheck,build` | Comma-separated list of `pnpm run` scripts to execute |
+| `frozen-lockfile` | No | `true` | Pass `--frozen-lockfile` to `pnpm install` |
+| `check-dedupe` | No | `true` | Run `pnpm dedupe --check` before install |
+
+## Usage
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/pnpm-build@pnpm-build-v1
+  with:
+    working-directory: frontend
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+```
+
+## Notes
+
+- Configures the Artifactory npm registry authentication only if `jfrog-token` is provided.
+- Runs `pnpm dedupe --check` before install when `check-dedupe` is `true`.
+- Executes each script in `run-scripts` in order via `pnpm run`.

pnpm-build/action.yml

@@ -0,0 +1,81 @@
+name: PNPM Build
+description: >
+  Build and validate frontend using PNPM.
+
+inputs:
+  working-directory:
+    description: Directory containing package.json
+    required: false
+    default: "."
+  node-version:
+    description: Node.js version
+    required: false
+    default: "24"
+  pnpm-version:
+    description: pnpm version
+    required: false
+    default: "10.33"
+  jfrog-token:
+    description: JFrog npm auth token
+    required: false
+    default: ""
+  run-scripts:
+    description: Comma-separated list of pnpm run scripts
+    required: false
+    default: "ci,typecheck,build"
+  frozen-lockfile:
+    description: Pass --frozen-lockfile to pnpm install
+    required: false
+    default: "true"
+  check-dedupe:
+    description: Run pnpm dedupe --check
+    required: false
+    default: "true"
+
+runs:
+  using: composite
+  steps:
+      # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
+      # actions/setup-node v6.4.0 — https://code.forgejo.org/actions/setup-node/commits/tag/v6.4.0
+      - name: Setup Node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
+        with:
+          node-version: ${{ inputs.node-version }}
+
+      # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
+      # pnpm/action-setup v6.0.3 — https://code.forgejo.org/pnpm/action-setup/commits/tag/v6.0.3
+      - name: Install pnpm
+        uses: pnpm/action-setup@903f9c1a6ebcba6cf41d87230be49611ac97822e
+        with:
+          version: ${{ inputs.pnpm-version }}
+
+      - name: Configure pnpm registry authentication
+        if: ${{ inputs.jfrog-token != '' }}
+        shell: bash
+        env:
+          JFROG_TOKEN: ${{ inputs.jfrog-token }}
+        run: pnpm set //schmalz.jfrog.io/artifactory/api/npm/default-npm/:_authToken "$JFROG_TOKEN"
+
+      - name: Build
+        shell: bash
+        env:
+          PNPM_VERSION: ${{ inputs.pnpm-version }}
+          WORKING_DIR: ${{ inputs.working-directory }}
+          RUN_SCRIPTS: ${{ inputs.run-scripts }}
+          FROZEN_LOCKFILE: ${{ inputs.frozen-lockfile }}
+          CHECK_DEDUPE: ${{ inputs.check-dedupe }}
+        run: |
+          if [ "${CHECK_DEDUPE}" = "true" ]; then
+            pnpm --prefix="${WORKING_DIR}" dedupe --check
+          fi
+
+          INSTALL_ARGS=""
+          if [ "${FROZEN_LOCKFILE}" = "true" ]; then
+            INSTALL_ARGS="--frozen-lockfile"
+          fi
+          pnpm --prefix="${WORKING_DIR}" install $INSTALL_ARGS
+
+          IFS=',' read -ra SCRIPTS <<< "${RUN_SCRIPTS}"
+          for script in "${SCRIPTS[@]}"; do
+            pnpm --prefix="${WORKING_DIR}" run "${script}"
+          done