feat(FR-2840): migrate to pnpm v11

.github/actions/daily-test-improver/coverage-steps/action.yml

@@ -8,7 +8,7 @@ runs:
     - name: Install pnpm
       uses: pnpm/action-setup@v5
       with:
-        version: 10
+        version: 11
         run_install: false
 
     - name: Setup Node.js
@@ -36,7 +36,7 @@ runs:
       shell: bash
       run: |
         echo "Step: Installing dependencies..." >> coverage-steps.log
-        pnpm install --no-frozen-lockfile 2>&1 | tee -a coverage-steps.log
+        pnpm install --frozen-lockfile 2>&1 | tee -a coverage-steps.log
 
     # Step 3: Build and test React project with coverage
     - name: Build React GraphQL types

.github/aw/actions-lock.json

@@ -30,10 +30,10 @@
       "version": "v0.34.5",
       "sha": "3de4a6a6d15bb07764b207e40da8c7047474a335"
     },
-    "pnpm/action-setup@v4": {
+    "pnpm/action-setup@v5": {
       "repo": "pnpm/action-setup",
-      "version": "v4",
-      "sha": "c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c"
+      "version": "v5",
+      "sha": "a8198c4bff370c8506180b035930dea56dbd5288"
     }
   }
 }

.github/workflows/e2e-healer.md

@@ -60,9 +60,9 @@ steps:
   - uses: actions/setup-node@v4
     with:
       node-version: '20'
-  - uses: pnpm/action-setup@v4
+  - uses: pnpm/action-setup@v5
     with:
-      version: 10
+      version: 11
   - name: Print E2E endpoints
     run: |
       echo "=== E2E Test Configuration ==="

.github/workflows/e2e-watchdog.md

@@ -51,9 +51,9 @@ steps:
   - uses: actions/setup-node@v4
     with:
       node-version: '20'
-  - uses: pnpm/action-setup@v4
+  - uses: pnpm/action-setup@v5
     with:
-      version: 10
+      version: 11
   - name: Print E2E endpoints
     run: |
       echo "=== E2E Test Configuration ==="

.github/workflows/package.yml

@@ -45,7 +45,7 @@ jobs:
       - uses: pnpm/action-setup@v5
         name: Install pnpm
         with:
-          version: 10
+          version: 11
           run_install: false
 
       - name: Install Node.js
@@ -55,7 +55,7 @@ jobs:
           cache: 'pnpm'
 
       - name: Install Dependencies
-        run: pnpm install --no-frozen-lockfile
+        run: pnpm install --frozen-lockfile
 
       - name: Build web assets
         run: make dep_web
@@ -100,7 +100,7 @@ jobs:
       - uses: pnpm/action-setup@v5
         name: Install pnpm
         with:
-          version: 10
+          version: 11
           run_install: false
 
       - name: Install Node.js
@@ -110,7 +110,7 @@ jobs:
           cache: 'pnpm'
 
       - name: Install Dependencies
-        run: pnpm install --no-frozen-lockfile
+        run: pnpm install --frozen-lockfile
 
       - name: Download web build artifacts
         uses: actions/download-artifact@v5
@@ -168,7 +168,7 @@ jobs:
       - uses: pnpm/action-setup@v5
         name: Install pnpm
         with:
-          version: 10
+          version: 11
           run_install: false
 
       - name: Install Node.js
@@ -178,7 +178,7 @@ jobs:
           cache: 'pnpm'
 
       - name: Install Dependencies
-        run: pnpm install --no-frozen-lockfile
+        run: pnpm install --frozen-lockfile
 
       - name: Download web build artifacts
         uses: actions/download-artifact@v5
@@ -234,7 +234,7 @@ jobs:
       - uses: pnpm/action-setup@v5
         name: Install pnpm
         with:
-          version: 10
+          version: 11
           run_install: false
 
       - name: Install Node.js
@@ -244,7 +244,7 @@ jobs:
           cache: 'pnpm'
 
       - name: Install Dependencies
-        run: pnpm install --no-frozen-lockfile
+        run: pnpm install --frozen-lockfile
 
       # backend.ai-docs-toolkit ships its `docs-toolkit` CLI as the package
       # bin, but it lives at dist/cli.js which only exists after `tsc` runs.
@@ -255,7 +255,7 @@ jobs:
       - name: Build docs-toolkit and link CLI
         run: |
           pnpm --filter backend.ai-docs-toolkit run build
-          pnpm install --no-frozen-lockfile
+          pnpm install --frozen-lockfile
 
       # Cache the Playwright browser binaries (~150 MB Chromium download).
       # The lockfile hash keys the cache so a Playwright version bump

.github/workflows/publish-backend.ai-docs-toolkit.yml

@@ -21,7 +21,7 @@ jobs:
       - uses: pnpm/action-setup@v5
         name: Install pnpm
         with:
-          version: 10
+          version: 11
           run_install: false
       - name: Install Node.js
         uses: actions/setup-node@v5

.github/workflows/publish-backend.ai-ui.yml

@@ -21,7 +21,7 @@ jobs:
       - uses: pnpm/action-setup@v5
         name: Install pnpm
         with:
-          version: 10
+          version: 11
           run_install: false
       - name: Install Node.js
         uses: actions/setup-node@v5

.github/workflows/vitest.yml

@@ -59,7 +59,7 @@ jobs:
       - uses: pnpm/action-setup@v5
         name: Install pnpm
         with:
-          version: 10
+          version: 11
           run_install: false
       - uses: actions/setup-node@v5
         with:
@@ -78,7 +78,7 @@ jobs:
             ${{ runner.os }}-pnpm-store-
       - name: Install dependencies
         working-directory: .
-        run: pnpm install --merge-git-branch-lockfiles --no-frozen-lockfile
+        run: pnpm install --frozen-lockfile
       - name: Run ESLint on React
         run: pnpm run lint
       - name: Run relay-compiler
@@ -104,7 +104,7 @@ jobs:
       - uses: pnpm/action-setup@v5
         name: Install pnpm
         with:
-          version: 10
+          version: 11
           run_install: false
       - uses: actions/setup-node@v5
         with:
@@ -123,7 +123,7 @@ jobs:
             ${{ runner.os }}-pnpm-store-
       - name: Install dependencies
         working-directory: .
-        run: pnpm install --merge-git-branch-lockfiles --no-frozen-lockfile
+        run: pnpm install --frozen-lockfile
       - name: Run ESLint on backend.ai-ui
         run: pnpm run lint
       - name: Run relay-compiler
@@ -143,10 +143,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@v5
         name: Install pnpm
         with:
-          version: 10
+          version: 11
           run_install: false
       - uses: actions/setup-node@v5
         with:
@@ -164,7 +164,7 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-pnpm-store-
       - name: Install dependencies
-        run: pnpm install --merge-git-branch-lockfiles --no-frozen-lockfile
+        run: pnpm install --frozen-lockfile
       - name: Run Vitest with coverage
         run: pnpm exec vitest run --coverage
       - name: Report coverage on PR

.github/workflows/weekly-merge-branch-lockfiles.yml

@@ -22,7 +22,7 @@ jobs:
       - uses: pnpm/action-setup@v5
         name: Install pnpm
         with:
-          version: 10
+          version: 11
           run_install: false
 
       - uses: actions/setup-node@v5
@@ -31,7 +31,7 @@ jobs:
           cache: "pnpm"
 
       - name: Merge branch lockfiles into pnpm-lock.yaml
-        run: pnpm install --merge-git-branch-lockfiles --no-frozen-lockfile
+        run: pnpm install --merge-git-branch-lockfiles --no-frozen-lockfile --config.minimum-release-age=0
 
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v7

.npmrc

@@ -1 +1 @@
-engine-strict=true
+# auth/registry overrides only — pnpm-specific settings live in pnpm-workspace.yaml

.specs/FR-2840-pnpm-v11-migration/dev-plan.md

@@ -0,0 +1,68 @@
+# Dev Plan: pnpm v11 Migration
+
+- **Spec**: `.specs/FR-2840-pnpm-v11-migration/spec.md`
+- **Epic**: FR-2840 — https://lablup.atlassian.net/browse/FR-2840
+- **GitHub epic issue**: #7296
+- **Delivery shape**: single sub-task → single PR (per direction)
+
+## Sub-tasks
+
+| # | Title | Tracker | Depends on | PR |
+|---|---|---|---|---|
+| 1 | Migrate config, workflows, and lockfile to pnpm v11 | FR-2840 (this issue) | — | TBD (single PR) |
+
+The migration is intentionally not split because:
+
+- The lockfile regen, the config moves (`pnpm.overrides` → `pnpm-workspace.yaml`), the `onlyBuiltDependencies` → `allowBuilds` conversion, and the workflow `version: 11` bump must land **atomically** to keep CI green at every commit. Splitting would force one of:
+  - Land config-only first → CI installs still on v10, can't validate v11 install.
+  - Land workflow bump first → CI tries v11 install with v10 config → guaranteed `ERR_PNPM_UNSUPPORTED_ENGINE` again.
+- Documentation and `engine-strict` cleanup are too small to merit separate PRs.
+
+## Sub-task 1 — execution outline
+
+Mapped 1:1 to spec §5.
+
+1. **Config moves** (no install yet, no lockfile change)
+   - `package.json`: bump `engines.pnpm`, drop `pnpm` field, add `packageManager`.
+   - `pnpm-workspace.yaml`: add `overrides`, swap `onlyBuiltDependencies` → `allowBuilds`.
+   - `.npmrc`: drop `engine-strict=true`, leave a one-line comment explaining v11 auth/registry scope.
+
+2. **Workflow bump**
+   - Sed `version: 10` → `version: 11` across all 6 affected files (11 occurrences).
+   - `vitest.yml:146` `pnpm/action-setup@v4` → `@v5` cleanup.
+
+3. **Switch local pnpm to 11.x**
+   - Use whatever method the contributor has (`corepack` or `npm i -g pnpm@11`). Local dev only — not part of the diff.
+
+4. **Lockfile regenerate**
+   - To regenerate the canonical lockfile under pnpm 11 (one-time during this PR), the contributor needs to bypass `minimumReleaseAge` because of upstream bugs in v11 (spec §5.4.1, [pnpm/pnpm#9963](https://github.com/pnpm/pnpm/issues/9963), [pnpm/pnpm#10699](https://github.com/pnpm/pnpm/issues/10699)):
+
+     ```bash
+     pnpm install --merge-git-branch-lockfiles --no-frozen-lockfile --config.minimum-release-age=0
+     ```
+
+     This command is for the migration commit only. CI itself does **not** run this — see step 5.
+   - Reviewer must confirm:
+     - `lockfileVersion: '9.0'` retained.
+     - No `version:` line on a published package moved unintentionally (semver ranges are unchanged → drift is the surprise).
+     - `settings:` block adopts v11 defaults — call out in PR body.
+     - Per-branch `pnpm-lock.<branch>.yaml` files are NOT touched (`weekly-merge-branch-lockfiles.yml` handles those).
+   - After this regen, every CI install lane runs `pnpm install --frozen-lockfile` against the resulting lockfile. No re-resolution happens in CI, so the `--config.minimum-release-age=0` override is not needed in CI workflows (with the single intrinsic exception of `weekly-merge-branch-lockfiles.yml`, which exists precisely to re-resolve and merge branch lockfiles).
+
+5. **Local verification**
+   - Run spec §6.1 checklist.
+   - Capture `pnpm -v`, `bash scripts/verify.sh` output, and `pnpm run build` outcome in the PR description.
+
+6. **Submit**
+   - Branch off `main` (post-merge state of #7297 means workflows are on `version: 10`, baseline is consistent).
+   - PR description includes the §8 acceptance checklist for the reviewer to tick.
+   - Submit as draft → multi-agent review → flip to ready-for-review → Copilot → resolve → merge gate.
+
+## Hand-off to implementation
+
+Implementation agent receives:
+
+- Spec path: `.specs/FR-2840-pnpm-v11-migration/spec.md`
+- This dev plan (single sub-task).
+- Authority to add `allowBuilds` entries with justification comments if v11 install demands it (spec §5.2 last paragraph).
+- **No** authority to upgrade unrelated deps, drop `gitBranchLockfile`, or change `minimumReleaseAge` policy (spec §4 out-of-scope list).