diff --git a/README.md b/README.md index e49c1172..b9c2fa3c 100644 --- a/README.md +++ b/README.md @@ -148,7 +148,7 @@ Since it will not be cached always, there is possibility of hitting rate limit w ### Checking in lockfiles -It's **always** recommended to commit the lockfile of your package manager for security and performance reasons. For more information consult the "Working with lockfiles" section of the [Advanced usage](docs/advanced-usage.md#working-with-lockfiles) guide. +It's **strongly recommended** to commit the lockfile of your package manager for security and performance reasons. For more information consult the "Working with lockfiles" section of the [Advanced usage](docs/advanced-usage.md#working-with-lockfiles) guide. ## Caching global packages data @@ -249,6 +249,7 @@ If the runner is not able to access github.com, any Nodejs versions requested du - [Publishing to npmjs and GPR with npm](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-npm) - [Publishing to npmjs and GPR with yarn](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-yarn) - [Using private packages](docs/advanced-usage.md#use-private-packages) + - [Using private mirror](docs/advanced-usage.md#use-private-mirror) ## Recommended permissions diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md index 851e261b..ee265a69 100644 --- a/docs/advanced-usage.md +++ b/docs/advanced-usage.md @@ -1,6 +1,6 @@ ## Working with lockfiles -All supported package managers recommend that you **always** commit the lockfile, although implementations vary doing so generally provides the following benefits: +Most supported package managers recommend that you **always** commit the lockfile, although implementations vary doing so generally provides the following benefits: - Enables faster installation for CI and production environments, due to being able to skip package resolution. - Describes a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies. @@ -35,6 +35,25 @@ Ensure that `pnpm-lock.yaml` is always committed, when on CI pass `--frozen-lock - [Working with Git - Lockfiles](https://pnpm.io/git#lockfiles) - [Documentation of `--frozen-lockfile` option](https://pnpm.io/cli/install#--frozen-lockfile) +### Running without a lockfile + +If you choose not to use a lockfile, you must ensure that **caching is disabled**. The `cache` feature relies on the lockfile to generate a unique key for the cache entry. + +To run without a lockfile: +1. Do not set the `cache` input. +2. If your `package.json` contains a `packageManager` field set to npm (or devEngines.packageManager), automatic caching is enabled by default. Override this by setting `package-manager-cache: false`. + +```yaml +steps: +- uses: actions/checkout@v6 +- uses: actions/setup-node@v6 + with: + node-version: '24' + package-manager-cache: false # Explicitly disable caching if you don't have a lockfile +- run: npm install +- run: npm test +``` + ## Check latest version The `check-latest` flag defaults to `false`. When set to `false`, the action will first check the local cache for a semver match. If unable to find a specific version in the cache, the action will attempt to download a version of Node.js. It will pull LTS versions from [node-versions releases](https://github.com/actions/node-versions/releases) and on miss or failure will fall back to the previous behavior of downloading directly from [node dist](https://nodejs.org/dist/). Use the default or set `check-latest` to `false` if you prefer stability and if you want to ensure a specific version of Node.js is always used.