Migrate toolchain management from volta to mise #3969
Conversation
Replace volta with mise for managing Node.js and pnpm versions. Mise reads tool versions from a single `.mise.toml` file at the repo root, eliminating the need for `volta` sections in every package.json and the `use-node-version` directive in `.npmrc`. - Add `.mise.toml` pinning Node 22.20.0 and pnpm 10.17.0 - Remove `volta` config from root and all 23 sub-package package.json files - Remove `use-node-version` from `.npmrc` - Update CI init action to use `jdx/mise-action@v2` instead of `actions/setup-node` + `cardstack/gh-actions/setup-pnpm-volta` - Update QUICKSTART.md, README.md, AGENTS.md, and other docs https://claude.ai/code/session_01UsbdtKt9ebEJ3JkeviRzMV
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b19e14d074
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| using: composite | ||
| steps: | ||
| - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # 4.3.0 | ||
| - uses: jdx/mise-action@v2 |
There was a problem hiding this comment.
Using jdx/mise-action@v2 in the shared init action introduces a supply-chain and reproducibility risk for every workflow that calls ./.github/actions/init, because the v2 tag can move to different code without any change in this repository; unlike the other actions in this file (which are SHA-pinned), this allows unexpected behavior or compromised upstream code to run in CI at any time.
Useful? React with 👍 / 👎.
Preview deployments |
2 participants
Replace volta with mise for managing Node.js and pnpm versions. Mise
reads tool versions from a single
.mise.tomlfile at the repo root,eliminating the need for
voltasections in every package.json and theuse-node-versiondirective in.npmrc..mise.tomlpinning Node 22.20.0 and pnpm 10.17.0voltaconfig from root and all 23 sub-package package.json filesuse-node-versionfrom.npmrcjdx/mise-action@v2instead ofactions/setup-node+cardstack/gh-actions/setup-pnpm-voltahttps://claude.ai/code/session_01UsbdtKt9ebEJ3JkeviRzMV