From 1f25f3cd47842b7c73f9870d7f12dcce284332be Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Sat, 6 Jun 2026 22:07:04 +0000
Subject: [PATCH 1/2] chore(deps): bump pnpm to v11

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 6ff53e3..2c9cf2e 100644
--- a/package.json
+++ b/package.json
@@ -38,5 +38,5 @@
     "lefthook": "^2.0.0",
     "typescript": "^6.0.0"
   },
-  "packageManager": "pnpm@9.15.9"
+  "packageManager": "pnpm@11.5.2"
 }

From bc53e390d50cf6dfadbcfb78622048ec4fab5e3d Mon Sep 17 00:00:00 2001
From: Abdelrahman Essawy <abdelrahman.mo.essawy@gmail.com>
Date: Sun, 7 Jun 2026 01:24:58 +0300
Subject: [PATCH 2/2] build: make the pnpm 11 bump pass CI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The packageManager bump to pnpm@11.5.2 broke every job: pnpm 11 requires
Node >= 22.13 (it loads node:sqlite), but all workflows pinned Node 20, so
install crashed before doing anything.

- bump node-version 20 -> 22 in all five workflows (test, pr-title,
  cli-binaries, drift-check, watchdog); binaries still compile under bun, Node
  is only used for pnpm + tooling scripts
- add pnpm-workspace.yaml with two pnpm-11 defaults neutralized:
  - allowBuilds.lefthook: true — pnpm 11 blocks dependency build scripts by
    default; lefthook needs its postinstall to install the git hooks
  - minimumReleaseAge: 0 — pnpm 11's release-age policy rejects deps published
    inside the cooldown window, which would intermittently fail
    --frozen-lockfile whenever drift-check bumps @rendobar/sdk the same day it
    publishes

Verified locally: pnpm@11.5.2 install --frozen-lockfile exits 0 with no
lockfile drift.
---
 .github/workflows/cli-binaries.yml |  2 +-
 .github/workflows/drift-check.yml  |  2 +-
 .github/workflows/pr-title.yml     |  2 +-
 .github/workflows/test.yml         |  2 +-
 .github/workflows/watchdog.yml     |  2 +-
 pnpm-workspace.yaml                | 13 +++++++++++++
 6 files changed, 18 insertions(+), 5 deletions(-)
 create mode 100644 pnpm-workspace.yaml

diff --git a/.github/workflows/cli-binaries.yml b/.github/workflows/cli-binaries.yml
index 53794fa..86bf417 100644
--- a/.github/workflows/cli-binaries.yml
+++ b/.github/workflows/cli-binaries.yml
@@ -42,7 +42,7 @@ jobs:
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: 20
+          node-version: 22
 
       - name: Get pnpm store directory
         shell: bash
diff --git a/.github/workflows/drift-check.yml b/.github/workflows/drift-check.yml
index 5eb485f..57c8523 100644
--- a/.github/workflows/drift-check.yml
+++ b/.github/workflows/drift-check.yml
@@ -16,7 +16,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: 20
+          node-version: 22
       - name: Compare @rendobar/sdk dep vs npm latest
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
index efc09b1..ede3d98 100644
--- a/.github/workflows/pr-title.yml
+++ b/.github/workflows/pr-title.yml
@@ -19,7 +19,7 @@ jobs:
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
 
       - run: pnpm install --frozen-lockfile
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f587de1..8d2077e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -23,7 +23,7 @@ jobs:
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
 
       - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6  # v2.2.0
diff --git a/.github/workflows/watchdog.yml b/.github/workflows/watchdog.yml
index d9f73c8..f5d520a 100644
--- a/.github/workflows/watchdog.yml
+++ b/.github/workflows/watchdog.yml
@@ -17,7 +17,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: 20
+          node-version: 22
       - name: Detect silent release skip
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
new file mode 100644
index 0000000..d3c8c18
--- /dev/null
+++ b/pnpm-workspace.yaml
@@ -0,0 +1,13 @@
+# pnpm 11 blocks dependency build scripts by default. lefthook needs its
+# postinstall to install the git hooks behind the commit-msg / pre-commit guards
+# (pnpm 9 ran these automatically).
+allowBuilds:
+  lefthook: true
+
+# pnpm 11 also enables a minimumReleaseAge supply-chain policy by default, which
+# rejects any dependency published within the cooldown window. The drift-check
+# cron bumps @rendobar/sdk to its newest release the same day it publishes, so
+# the default would intermittently fail `pnpm install --frozen-lockfile` in CI
+# until each release "ages in". Disable it to keep CI deterministic; SDK
+# provenance is already covered by npm publish attestations.
+minimumReleaseAge: 0