rendobar · a-essawy · Jun 6, 2026 · Jun 6, 2026 · Jun 6, 2026
diff --git a/.github/workflows/cli-binaries.yml b/.github/workflows/cli-binaries.yml
@@ -42,7 +42,7 @@ jobs:
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: 20
+          node-version: 22
 
       - name: Get pnpm store directory
         shell: bash

diff --git a/.github/workflows/drift-check.yml b/.github/workflows/drift-check.yml
@@ -16,7 +16,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: 20
+          node-version: 22
       - name: Compare @rendobar/sdk dep vs npm latest
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
@@ -19,7 +19,7 @@ jobs:
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
 
       - run: pnpm install --frozen-lockfile

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -23,7 +23,7 @@ jobs:
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
 
       - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6  # v2.2.0

diff --git a/.github/workflows/watchdog.yml b/.github/workflows/watchdog.yml
@@ -17,7 +17,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: 20
+          node-version: 22
       - name: Detect silent release skip
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/package.json b/package.json
@@ -38,5 +38,5 @@
     "lefthook": "^2.0.0",
     "typescript": "^6.0.0"
   },
-  "packageManager": "pnpm@9.15.9"
+  "packageManager": "pnpm@11.5.2"
 }
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -0,0 +1,13 @@
+# pnpm 11 blocks dependency build scripts by default. lefthook needs its
+# postinstall to install the git hooks behind the commit-msg / pre-commit guards
+# (pnpm 9 ran these automatically).
+allowBuilds:
+  lefthook: true
+
+# pnpm 11 also enables a minimumReleaseAge supply-chain policy by default, which
+# rejects any dependency published within the cooldown window. The drift-check
+# cron bumps @rendobar/sdk to its newest release the same day it publishes, so
+# the default would intermittently fail `pnpm install --frozen-lockfile` in CI
+# until each release "ages in". Disable it to keep CI deterministic; SDK
+# provenance is already covered by npm publish attestations.
+minimumReleaseAge: 0