diff --git a/.github/workflows/plugin-ci.yaml b/.github/workflows/plugin-ci.yaml
index f01b7b3..7fbb409 100644
--- a/.github/workflows/plugin-ci.yaml
+++ b/.github/workflows/plugin-ci.yaml
@@ -79,6 +79,17 @@ jobs:
             echo "has_package_manager=false" >> $GITHUB_OUTPUT
           fi
 
+      - name: Validate pnpm lockfile freshness
+        if: steps.pkg-manager.outputs.manager == 'pnpm'
+        run: |
+          if [ -f "pnpm-lock.yaml" ] && grep -q '^overrides:' pnpm-lock.yaml 2>/dev/null; then
+            echo "Checking pnpm-lock.yaml freshness (overrides detected)"
+            if pnpm install --frozen-lockfile --dry-run 2>&1 | grep -q "CONFIG_MISMATCH"; then
+              echo "::error::pnpm-lock.yaml is out of sync with package.json overrides. Run 'pnpm install' to regenerate the lockfile."
+              exit 1
+            fi
+          fi
+
       - name: Setup Node
         uses: actions/setup-node@v6
         with: