Pnpm

Name: Pnpm
Author: onmax

onmax/nuxt-skills

Wire pnpm into GitHub Actions, GitLab CI, Docker multi-stage builds, and monorepo filtered builds for Nuxt/Node projects.

Overview

pnpm is an agent skill most often used in Ship (also Operate infra) that templates pnpm-based CI/CD for GitHub Actions, GitLab, Docker, and monorepo filters.

Install

npx skills add https://github.com/onmax/nuxt-skills --skill pnpm

What is this skill?

GitHub Actions baseline with pnpm/action-setup v4, Node 20, and cache: pnpm
Optional pnpm store path caching keyed on pnpm-lock.yaml
Monorepo job: pnpm --filter "...[origin/main]" build for changed packages only
GitLab CI template with corepack, custom store-dir, and ref-slug cache
Docker multi-stage pattern with corepack-enabled Node slim builder image

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 1.3k installs on skills.sh; 674 GitHub stars; 3/3 security scanners passed (skills.sh audits).

What problem does it solve?

You use pnpm locally but CI still uses npm or slow installs without store caching or monorepo-aware builds.

Who is it for?

Indie devs standardizing pnpm in GitHub Actions or GitLab for Nuxt/Node repos before production deploys.

Skip if: Yarn-only or Bun-only pipelines where you will not standardize on pnpm, or managed PaaS that ignore custom CI.

When should I use this skill?

Setting up or migrating CI/CD and Docker to pnpm for a Node or Nuxt repository.

What do I get? / Deliverables

You get ready-to-adapt workflow YAML and Dockerfile snippets with frozen lockfiles, caching, and optional change-only monorepo builds.

GitHub Actions or GitLab CI YAML
Optional Docker multi-stage Dockerfile fragment

Recommended Skills

Azure Kubernetesmicrosoft/azure-skills

Azure Kubernetes skill supplies fix patterns for AKS Automatic compatibility—adding resource requests, dropping capabili…204k installs·1.2k stars

Github Actions Docsxixu-me/skills

github-actions-docs is a research-oriented agent skill that stops generic CI/CD guesses when the user’s question is real…187k installs·61 stars

Deploy To Vercelvercel-labs/agent-skills

Deploy to Vercel is an agent skill from Vercel Labs that walks solo builders through shipping a project to Vercel with d…67.1k installs·27.7k stars

Vercel Cli With Tokensvercel-labs/agent-skills

Vercel CLI with Tokens is a Vercel Labs agent skill that teaches coding agents how to deploy and manage projects when in…47.2k installs·27.7k stars

Turborepovercel/turborepo

Turborepo Skill is procedural guidance for Vercel’s Turborepo build system on JavaScript and TypeScript monorepos. It ta…36k installs·30.5k stars

Docker Expertsickn33/antigravity-awesome-skills

Docker Expert is an agent skill that acts as a hands-on containerization consultant for solo and indie builders shipping…18.7k installs·40.1k stars

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Continuous integration is shelved under Ship because it gates merges and releases with install, test, and build automation. Testing subphase covers CI jobs that run pnpm test and frozen lockfile installs on every push.

Also useful

OperateInfrastructure & cost

Where it fits

Example use

BuildBackend, data & payments

Draft a Dockerfile that installs deps with pnpm before your Nuxt server build stage.

Example use

ShipTesting & QA

Add push/PR workflow running pnpm test with lockfile cache.

Example use

ShipCI/CD & deploy

Gate release branches on pnpm build after frozen install.

Example use

OperateInfrastructure & cost

Refresh GitLab store-dir cache keys when lockfile churn spikes install times.

How it compares

Skill-delivered YAML patterns—not an MCP server or hosted CI product.

Common Questions / FAQ

Who is pnpm for?

Solo builders and small teams on Nuxt or Node monorepos who want their agent to draft correct pnpm CI and Docker configs.

When should I use pnpm?

Use it in Ship when adding GitHub Actions or GitLab CI, in Build when dockerizing the app, and in Operate when tuning install caches on long-lived pipelines.

Is pnpm safe to install?

It suggests CI and Docker commands that run in your cloud—not automatically on your laptop. Review the Security Audits panel on this Prism page before enabling workflows.

SKILL.md

READMESKILL.md - Pnpm

# CI/CD & Migration

## GitHub Actions

### Basic Setup

```yaml
name: CI
on: [push, pull_request]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
        with:
          version: 9

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: 'pnpm'

      - run: pnpm install --frozen-lockfile
      - run: pnpm test
      - run: pnpm build
```

### With Store Caching

```yaml
- uses: pnpm/action-setup@v4
  with:
    version: 9

- name: Get pnpm store directory
  shell: bash
  run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV

- uses: actions/cache@v4
  with:
    path: ${{ env.STORE_PATH }}
    key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
    restore-keys: |
      ${{ runner.os }}-pnpm-store-

- run: pnpm install --frozen-lockfile
```

### Monorepo - Build Changed Only

```yaml
- name: Build changed packages
  run: pnpm --filter "...[origin/main]" build
```

## GitLab CI

```yaml
image: node:20

variables:
  PNPM_HOME: /root/.local/share/pnpm
  PATH: $PNPM_HOME:$PATH

before_script:
  - corepack enable
  - corepack prepare pnpm@latest --activate

cache:
  key: ${CI_COMMIT_REF_SLUG}
  paths:
    - .pnpm-store

install:
  script:
    - pnpm config set store-dir .pnpm-store
    - pnpm install --frozen-lockfile
```

## Docker

### Multi-Stage Build

```dockerfile
FROM node:20-slim AS builder
RUN corepack enable
WORKDIR /app

COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
COPY packages/*/package.json ./packages/
RUN pnpm install --frozen-lockfile

COPY . .
RUN pnpm build

FROM node:20-slim AS runner
RUN corepack enable
WORKDIR /app

COPY --from=builder /app/dist ./dist
COPY --from=builder /app/package.json ./
COPY --from=builder /app/pnpm-lock.yaml ./

RUN pnpm install --frozen-lockfile --prod
CMD ["node", "dist/index.js"]
```

## Key CI Flags

```bash
--frozen-lockfile    # Always use in CI
--prefer-offline     # Use cached packages
--ignore-scripts     # Faster (careful: some deps need scripts)
```

## Corepack

```json
// package.json - Specify exact pnpm version
{
  "packageManager": "pnpm@10.28.2"
}
```

```yaml
# CI
- run: corepack enable
- run: pnpm install --frozen-lockfile
```

**Note:** pnpm 11+ ships with its own Node.js version and doesn't rely on system installation.

## Migration from npm

```bash
rm -rf node_modules package-lock.json
pnpm install
```

## Migration from Yarn

```bash
rm -rf node_modules yarn.lock
rm -rf .yarn .yarnrc.yml  # Yarn Berry
pnpm install
```

## Import Lockfile

```bash
pnpm import  # Creates pnpm-lock.yaml from existing lockfile
```

## Handling Phantom Dependencies

pnpm is strict - imports must be in package.json:

```bash
# Error: lodash not found (it's a transitive dep)
# Solution: add it explicitly
pnpm add lodash
```

## Symlink Issues

Some tools don't work with symlinks:

```ini
# .npmrc - Use npm-like flat structure
node-linker=hoisted
```

Or hoist specific packages:

```ini
public-hoist-pattern[]=*eslint*
public-hoist-pattern[]=*babel*
```

## Monorepo Migration

1. Create `pnpm-workspace.yaml`:

   ```yaml
   packages:
     - 'packages/*'
   ```

2. Update internal deps to workspace protocol:

   ```json
   { "@myorg/utils": "workspace:^" }
   ```

3. Install:
   ```bash
   rm -rf node_modules packages/*/node_modules
   pnpm install
   ```

## Performance Tips

```ini
# .npmrc
prefer-offline=true
side-effects-cache=true
workspace-concurrency=4

onlyBuiltDependencies[]=esbuild
onlyBuiltDependencies[]=@swc/core
```

```bash
# Build changed only
pnpm --filter "...[origin/main]" build

# Parallel workspace
pnpm -r --parallel run test

# Clean store (v10.27+ includes global virtual store)
pnpm store prune
```

## Security Best Practices

```bash
# CI - prevent script execution
pnpm install --frozen-lockfile --ignore-scripts

# Use exact lockfile (prevents supply chain attacks)
pnpm install --frozen-lockfile

# Audit dependenci

What is this skill?

GitHub Actions baseline with pnpm/action-setup v4, Node 20, and cache: pnpm

Optional pnpm store path caching keyed on pnpm-lock.yaml

Monorepo job: pnpm --filter "...[origin/main]" build for changed packages only

GitLab CI template with corepack, custom store-dir, and ref-slug cache

Docker multi-stage pattern with corepack-enabled Node slim builder image

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 1.3k installs on skills.sh; 674 GitHub stars; 3/3 security scanners passed (skills.sh audits).

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Also useful

OperateInfrastructure & cost

Where it fits

Example use

BuildBackend, data & payments

Draft a Dockerfile that installs deps with pnpm before your Nuxt server build stage.

Example use

ShipTesting & QA

Add push/PR workflow running pnpm test with lockfile cache.

Example use

ShipCI/CD & deploy

Gate release branches on pnpm build after frozen install.

Example use

OperateInfrastructure & cost

Refresh GitLab store-dir cache keys when lockfile churn spikes install times.

SKILL.md

READMESKILL.md - Pnpm

# CI/CD & Migration

## GitHub Actions

### Basic Setup

```yaml
name: CI
on: [push, pull_request]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
        with:
          version: 9

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: 'pnpm'

      - run: pnpm install --frozen-lockfile
      - run: pnpm test
      - run: pnpm build
```

### With Store Caching

```yaml
- uses: pnpm/action-setup@v4
  with:
    version: 9

- name: Get pnpm store directory
  shell: bash
  run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV

- uses: actions/cache@v4
  with:
    path: ${{ env.STORE_PATH }}
    key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
    restore-keys: |
      ${{ runner.os }}-pnpm-store-

- run: pnpm install --frozen-lockfile
```

### Monorepo - Build Changed Only

```yaml
- name: Build changed packages
  run: pnpm --filter "...[origin/main]" build
```

## GitLab CI

```yaml
image: node:20

variables:
  PNPM_HOME: /root/.local/share/pnpm
  PATH: $PNPM_HOME:$PATH

before_script:
  - corepack enable
  - corepack prepare pnpm@latest --activate

cache:
  key: ${CI_COMMIT_REF_SLUG}
  paths:
    - .pnpm-store

install:
  script:
    - pnpm config set store-dir .pnpm-store
    - pnpm install --frozen-lockfile
```

## Docker

### Multi-Stage Build

```dockerfile
FROM node:20-slim AS builder
RUN corepack enable
WORKDIR /app

COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
COPY packages/*/package.json ./packages/
RUN pnpm install --frozen-lockfile

COPY . .
RUN pnpm build

FROM node:20-slim AS runner
RUN corepack enable
WORKDIR /app

COPY --from=builder /app/dist ./dist
COPY --from=builder /app/package.json ./
COPY --from=builder /app/pnpm-lock.yaml ./

RUN pnpm install --frozen-lockfile --prod
CMD ["node", "dist/index.js"]
```

## Key CI Flags

```bash
--frozen-lockfile    # Always use in CI
--prefer-offline     # Use cached packages
--ignore-scripts     # Faster (careful: some deps need scripts)
```

## Corepack

```json
// package.json - Specify exact pnpm version
{
  "packageManager": "pnpm@10.28.2"
}
```

```yaml
# CI
- run: corepack enable
- run: pnpm install --frozen-lockfile
```

**Note:** pnpm 11+ ships with its own Node.js version and doesn't rely on system installation.

## Migration from npm

```bash
rm -rf node_modules package-lock.json
pnpm install
```

## Migration from Yarn

```bash
rm -rf node_modules yarn.lock
rm -rf .yarn .yarnrc.yml  # Yarn Berry
pnpm install
```

## Import Lockfile

```bash
pnpm import  # Creates pnpm-lock.yaml from existing lockfile
```

## Handling Phantom Dependencies

pnpm is strict - imports must be in package.json:

```bash
# Error: lodash not found (it's a transitive dep)
# Solution: add it explicitly
pnpm add lodash
```

## Symlink Issues

Some tools don't work with symlinks:

```ini
# .npmrc - Use npm-like flat structure
node-linker=hoisted
```

Or hoist specific packages:

```ini
public-hoist-pattern[]=*eslint*
public-hoist-pattern[]=*babel*
```

## Monorepo Migration

1. Create `pnpm-workspace.yaml`:

   ```yaml
   packages:
     - 'packages/*'
   ```

2. Update internal deps to workspace protocol:

   ```json
   { "@myorg/utils": "workspace:^" }
   ```

3. Install:
   ```bash
   rm -rf node_modules packages/*/node_modules
   pnpm install
   ```

## Performance Tips

```ini
# .npmrc
prefer-offline=true
side-effects-cache=true
workspace-concurrency=4

onlyBuiltDependencies[]=esbuild
onlyBuiltDependencies[]=@swc/core
```

```bash
# Build changed only
pnpm --filter "...[origin/main]" build

# Parallel workspace
pnpm -r --parallel run test

# Clean store (v10.27+ includes global virtual store)
pnpm store prune
```

## Security Best Practices

```bash
# CI - prevent script execution
pnpm install --frozen-lockfile --ignore-scripts

# Use exact lockfile (prevents supply chain attacks)
pnpm install --frozen-lockfile

# Audit dependenci

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is pnpm for?

When should I use pnpm?

Is pnpm safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is pnpm for?

When should I use pnpm?

Is pnpm safe to install?

SKILL.md