8.5 KiB
Working with lockfiles
All supported package managers recommend that you always commit the lockfile, although implementations vary doing so generally provides the following benefits:
- Enables faster installation for CI and production environments, due to being able to skip package resolution.
- Describes a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
- Provides a facility for users to "time-travel" to previous states of
node_modules
without having to commit the directory itself. - Facilitates greater visibility of tree changes through readable source control diffs.
In order to get the most out of using your lockfile on continuous integration follow the conventions outlined below for your respective package manager.
NPM
Ensure that package-lock.json
is always committed, use npm ci
instead of npm install
when installing packages.
See also:
Yarn
To ensure that yarn.lock
is always committed, use yarn install --immutable
when installing packages.
See also:
- Documentation of
yarn.lock
- Documentation of
--frozen-lockfile
option - QA - Should lockfiles be committed to the repoistory?
- Documentation of
yarn install
PNPM
Ensure that pnpm-lock.yaml
is always committed, when on CI pass --frozen-lockfile
to pnpm install
when installing packages.
See also:
Check latest version
The check-latest
flag defaults to false
. When set to false
, the action will first check the local cache for a semver match. If unable to find a specific version in the cache, the action will attempt to download a version of Node.js. It will pull LTS versions from node-versions releases and on miss or failure will fall back to the previous behavior of downloading directly from node dist. Use the default or set check-latest
to false
if you prefer stability and if you want to ensure a specific version of Node.js is always used.
If check-latest
is set to true
, the action first checks if the cached version is the latest one. If the locally cached version is not the most up-to-date, a version of Node.js will then be downloaded. Set check-latest
to true
it you want the most up-to-date version of Node.js to always be used.
Setting
check-latest
totrue
has performance implications as downloading versions of Node is slower than using cached versions.
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '14'
check-latest: true
- run: npm ci
- run: npm test
Node version file
The node-version-file
input accepts a path to a file containing the version of Node.js to be used by a project, for example .nvmrc
or .node-version
. If both the node-version
and the node-version-file
inputs are provided then the node-version
input is used.
See supported version syntax
The action will search for the node version file relative to the repository root.
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version-file: '.nvmrc'
- run: npm ci
- run: npm test
Architecture
You can use any of the supported operating systems, and the compatible architecture
can be selected using architecture
. Values are x86
, x64
, arm64
, armv6l
, armv7l
, ppc64le
, s390x
(not all of the architectures are available on all platforms).
When using architecture
, node-version
must be provided as well.
jobs:
build:
runs-on: windows-latest
name: Node sample
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '14'
architecture: 'x64' # optional, x64 or x86. If not specified, x64 will be used by default
- run: npm ci
- run: npm test
Caching packages data
The action follows actions/cache guidelines, and caches global cache on the machine instead of node_modules
, so cache can be reused between different Node.js versions.
Caching yarn dependencies: Yarn caching handles both yarn versions: 1 or 2.
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '14'
cache: 'yarn'
- run: yarn install --frozen-lockfile # optional, --immutable
- run: yarn test
Caching pnpm (v6.10+) dependencies:
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# NOTE: pnpm caching support requires pnpm version >= 6.10.0
steps:
- uses: actions/checkout@v3
- uses: pnpm/action-setup@v2
with:
version: 6.32.9
- uses: actions/setup-node@v3
with:
node-version: '14'
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
- run: pnpm test
Using wildcard patterns to cache dependencies
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '14'
cache: 'npm'
cache-dependency-path: '**/package-lock.json'
- run: npm ci
- run: npm test
Using a list of file paths to cache dependencies
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '14'
cache: 'npm'
cache-dependency-path: |
server/app/package-lock.json
frontend/app/package-lock.json
- run: npm ci
- run: npm test
Multiple Operating Systems and Architectures
jobs:
build:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os:
- ubuntu-latest
- macos-latest
- windows-latest
node_version:
- 12
- 14
- 16
architecture:
- x64
# an extra windows-x86 run:
include:
- os: windows-2016
node_version: 12
architecture: x86
name: Node ${{ matrix.node_version }} - ${{ matrix.architecture }} on ${{ matrix.os }}
steps:
- uses: actions/checkout@v3
- name: Setup node
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node_version }}
architecture: ${{ matrix.architecture }}
- run: npm ci
- run: npm test
Publish to npmjs and GPR with npm
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '14.x'
registry-url: 'https://registry.npmjs.org'
- run: npm ci
- run: npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
- uses: actions/setup-node@v3
with:
registry-url: 'https://npm.pkg.github.com'
- run: npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Publish to npmjs and GPR with yarn
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '14.x'
registry-url: <registry url>
- run: yarn install --frozen-lockfile
- run: yarn publish
env:
NODE_AUTH_TOKEN: ${{ secrets.YARN_TOKEN }}
- uses: actions/setup-node@v3
with:
registry-url: 'https://npm.pkg.github.com'
- run: yarn publish
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Use private packages
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '14.x'
registry-url: 'https://registry.npmjs.org'
# Skip post-install scripts here, as a malicious
# script could steal NODE_AUTH_TOKEN.
- run: npm ci --ignore-scripts
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
# `npm rebuild` will run all those post-install scripts for us.
- run: npm rebuild && npm run prepare --if-present
NOTE: As per https://github.com/actions/setup-node/issues/49 you cannot use secrets.GITHUB_TOKEN
to access private GitHub Packages within the same organisation.