All workflows that previously ran `npm ci` + a frontend script now install
pnpm via pnpm/action-setup (which honors the `packageManager` field in the
root package.json) and run scripts through `pnpm --filter mas-frontend`.
setup-node gets `cache: "pnpm"` so the pnpm store survives between runs.
The @localazy/cli and semver CLIs used by the release/translation workflows
move from ad-hoc `npm install -g` / `npx --yes` invocations to root
devDependencies, so the version is locked in pnpm-lock.yaml and a single
`pnpm install --frozen-lockfile` makes both available as `pnpm exec`.
misc/build-docs.sh (used by the docs workflow and Cloudflare Pages) is
updated to call `corepack enable` on Cloudflare Pages and to run storybook
through `pnpm --filter mas-frontend exec`.
Sets up a pnpm workspace at the repo root with the single existing
frontend/ package, pinned via packageManager to pnpm@11.1.0. The new
pnpm-workspace.yaml enables three pnpm 11 defaults explicitly so they
can't silently be relaxed:
- trustPolicy: no-downgrade (override via trustPolicyExclude)
- strictDepBuilds: true (override via allowBuilds)
- strictPeerDependencies: true (override via peerDependencyRules.allowedVersions)
allowBuilds permits the @swc/core, esbuild and msw postinstalls (native
binaries / service worker setup) and explicitly denies @scarf/scarf
telemetry. trustPolicyExclude lists semver@6.3.1, which a transitive of
@babel/core publishes without provenance even though earlier versions
had it.
The lockfile is imported from the previous package-lock.json, so locked
versions stay identical to npm — no dependency upgrades sneak in here.
@graphql-typed-document-node/core is added as an explicit devDependency
because @graphql-codegen/client-preset's generated code imports it
directly and pnpm doesn't hoist transitive deps.
The frontend/.npmrc engine-strict=true setting moves to pnpm-workspace.yaml
as engineStrict: true.
Quentin Gliech