From 1c2b97d41dd1966e9de3cf104cc9ccd8a134ba99 Mon Sep 17 00:00:00 2001
From: "privilegedescalation-engineer[bot]"
 <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com>
Date: Tue, 12 May 2026 22:29:12 +0000
Subject: [PATCH] Add lockfile freshness validation to plugin-ci workflow

When pnpm-lock.yaml has overrides section, validate that lockfile is fresh before install. If stale (detected via CONFIG_MISMATCH/EBADLOCKFILE/ERR_PNPM_LOCKFILE), fail with clear error message suggesting 'pnpm install' to regenerate.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/plugin-ci.yaml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/.github/workflows/plugin-ci.yaml b/.github/workflows/plugin-ci.yaml
index f01b7b3..40a25df 100644
--- a/.github/workflows/plugin-ci.yaml
+++ b/.github/workflows/plugin-ci.yaml
@@ -113,6 +113,34 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-pnpm-
 
+      - name: Validate pnpm lockfile freshness
+        if: steps.pkg-manager.outputs.manager == 'pnpm'
+        run: |
+          if [ ! -f "pnpm-lock.yaml" ]; then
+            echo "No pnpm-lock.yaml found, skipping lockfile freshness check"
+            exit 0
+          fi
+          if ! grep -q 'overrides:' pnpm-lock.yaml 2>/dev/null; then
+            echo "No overrides section in pnpm-lock.yaml, skipping lockfile freshness check"
+            exit 0
+          fi
+          echo "Detected pnpm-lock.yaml with overrides section. Checking lockfile freshness..."
+          ERR_FILE=$(mktemp)
+          if pnpm install --frozen-lockfile 2>&1 | tee "$ERR_FILE"; then
+            echo "Lockfile is fresh."
+          else
+            if grep -q "CONFIG_MISMATCH\|EBADLOCKFILE\|ERR_PNPM_LOCKFILE" "$ERR_FILE"; then
+              echo ""
+              echo "::error::pnpm-lock.yaml is out of sync with package.json overrides."
+              echo "::error::This typically happens when transitive dependencies change but the lockfile wasn't regenerated."
+              echo "::error::Run 'pnpm install' to regenerate the lockfile and commit the updated pnpm-lock.yaml."
+              rm -f "$ERR_FILE"
+              exit 1
+            fi
+            rm -f "$ERR_FILE"
+            echo "::warning::Install failed with a different error. Will retry in the Install dependencies step."
+          fi
+
       - name: Install dependencies
         run: |
           max_attempts=3