From 4f3e3e8d2cb0625db5d315166108294bbc6ed0d0 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Tue, 12 May 2026 21:59:56 +0000
Subject: [PATCH] Add lockfile freshness validation to plugin-ci workflow

When pnpm-lock.yaml has overrides section, validate that lockfile is fresh
before install. If stale (detected via CONFIG_MISMATCH), fail with clear
error message suggesting 'pnpm install' to regenerate.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/plugin-ci.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/plugin-ci.yaml b/.github/workflows/plugin-ci.yaml
index f01b7b3..7fbb409 100644
--- a/.github/workflows/plugin-ci.yaml
+++ b/.github/workflows/plugin-ci.yaml
@@ -79,6 +79,17 @@ jobs:
             echo "has_package_manager=false" >> $GITHUB_OUTPUT
           fi
 
+      - name: Validate pnpm lockfile freshness
+        if: steps.pkg-manager.outputs.manager == 'pnpm'
+        run: |
+          if [ -f "pnpm-lock.yaml" ] && grep -q '^overrides:' pnpm-lock.yaml 2>/dev/null; then
+            echo "Checking pnpm-lock.yaml freshness (overrides detected)"
+            if pnpm install --frozen-lockfile --dry-run 2>&1 | grep -q "CONFIG_MISMATCH"; then
+              echo "::error::pnpm-lock.yaml is out of sync with package.json overrides. Run 'pnpm install' to regenerate the lockfile."
+              exit 1
+            fi
+          fi
+
       - name: Setup Node
         uses: actions/setup-node@v6
         with: