shared-actions/pnpm-build/action.yml

name: PNPM Build
description: >
  Build and validate frontend using PNPM.

inputs:
  working-directory:
    description: Directory containing package.json
    required: false
    default: "."
  node-version:
    description: Node.js version
    required: false
    default: "24"
  pnpm-version:
    description: pnpm version
    required: false
    default: "10.33"
  jfrog-token:
    description: JFrog npm auth token
    required: false
    default: ""
  nexus-token:
    description: Nexus npm auth token
    required: false
    default: ""
  run-scripts:
    description: Comma-separated list of pnpm run scripts
    required: false
    default: "ci,typecheck,build"
  frozen-lockfile:
    description: Pass --frozen-lockfile to pnpm install
    required: false
    default: "true"
  check-dedupe:
    description: Run pnpm dedupe --check
    required: false
    default: "true"

runs:
  using: composite
  steps:
      # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
      # actions/setup-node v4.4.0 — https://code.forgejo.org/actions/setup-node/commits/tag/v4.4.0
      - name: Setup Node
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
        with:
          node-version: ${{ inputs.node-version }}

      # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
      # pnpm/action-setup v4.3.0 — https://code.forgejo.org/pnpm/action-setup/commits/tag/v4.3.0
      - name: Install pnpm
        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1
        env:
          # Override any registry configured in .npmrc (e.g. JFrog or Nexus).
          # pnpm/action-setup bootstraps itself via npm before pnpm is available,
          # so it must reach the public npm registry. Auth for private registries
          # is configured in a later step, after pnpm is installed.
          NPM_CONFIG_REGISTRY: https://registry.npmjs.org
        with:
          version: ${{ inputs.pnpm-version }}

      - name: Get pnpm store directory
        id: pnpm-store
        shell: bash
        run: echo "path=$(pnpm store path --silent)" >> "$GITHUB_OUTPUT"

      - name: Cache pnpm store
        uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/cache@cache-v1
        with:
          path: ${{ steps.pnpm-store.outputs.path }}
          key: ${{ runner.os }}-pnpm-${{ inputs.pnpm-version }}-${{ hashFiles(format('{0}/pnpm-lock.yaml', inputs.working-directory)) }}
          restore-keys: ${{ runner.os }}-pnpm-${{ inputs.pnpm-version }}-

      - name: Configure JFrog registry authentication
        if: ${{ inputs.jfrog-token != '' }}
        shell: bash
        env:
          JFROG_TOKEN: ${{ inputs.jfrog-token }}
        run: |
          pnpm set registry https://schmalz.jfrog.io/artifactory/api/npm/default-npm/
          pnpm set //schmalz.jfrog.io/artifactory/api/npm/default-npm/:_authToken "$JFROG_TOKEN"

      - name: Configure Nexus registry authentication
        if: ${{ inputs.nexus-token != '' }}
        shell: bash
        env:
          NEXUS_TOKEN: ${{ inputs.nexus-token }}
        run: |
          pnpm set registry https://nexus.schmalzgroup.com/repository/npm-all/
          pnpm set //nexus.schmalzgroup.com/repository/npm-all/:_authToken "$NEXUS_TOKEN"

      - name: Build
        shell: bash
        env:
          PNPM_VERSION: ${{ inputs.pnpm-version }}
          WORKING_DIR: ${{ inputs.working-directory }}
          RUN_SCRIPTS: ${{ inputs.run-scripts }}
          FROZEN_LOCKFILE: ${{ inputs.frozen-lockfile }}
          CHECK_DEDUPE: ${{ inputs.check-dedupe }}
        run: |
          if [ "${CHECK_DEDUPE}" = "true" ]; then
            pnpm --prefix="${WORKING_DIR}" dedupe --check
          fi

          INSTALL_ARGS=""
          if [ "${FROZEN_LOCKFILE}" = "true" ]; then
            INSTALL_ARGS="--frozen-lockfile"
          fi
          pnpm --prefix="${WORKING_DIR}" install $INSTALL_ARGS

          IFS=',' read -ra SCRIPTS <<< "${RUN_SCRIPTS}"
          for script in "${SCRIPTS[@]}"; do
            pnpm --prefix="${WORKING_DIR}" run "${script}"
          done