From 9b164dd185c9c013e3a03fed1f79d08526987d5e Mon Sep 17 00:00:00 2001
From: shubham-mermaid <shubham@mermaidchart.com>
Date: Thu, 26 Jun 2025 14:41:03 +0530
Subject: [PATCH 1/2] Added step to install pnpm and echo statements for
 debugging.

---
 .github/workflows/validate-lockfile.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/validate-lockfile.yml b/.github/workflows/validate-lockfile.yml
index 38c71adaa..d3e9b58b6 100644
--- a/.github/workflows/validate-lockfile.yml
+++ b/.github/workflows/validate-lockfile.yml
@@ -21,6 +21,11 @@ jobs:
         with:
           node-version: 20
 
+      - name: Install pnpm
+        uses: pnpm/action-setup@v3
+        with:
+          version: 8
+
       - name: Validate pnpm-lock.yaml entries
         id: validate # give this step an ID so we can reference its outputs
         run: |
@@ -28,17 +33,20 @@ jobs:
 
           # 1) No tarball references
           if grep -qF 'tarball:' pnpm-lock.yaml; then
+            echo "• Tarball references found"
             issues+=("• Tarball references found (forbidden)")
           fi
 
           # 2) No unwanted vitepress paths
           if grep -qF 'packages/mermaid/src/vitepress' pnpm-lock.yaml; then
+            echo "• Disallowed path 'packages/mermaid/src/vitepress'"
             issues+=("• Disallowed path 'packages/mermaid/src/vitepress' present. Run `rm -rf packages/mermaid/src/vitepress && pnpm install` to regenerate.")
           fi
 
           # 3) Lockfile only changes when package.json changes
           git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} > changed.txt
           if grep -q '^pnpm-lock.yaml$' changed.txt && ! grep -q 'package.json' changed.txt; then
+            echo "• pnpm-lock.yaml changed without any package.json modification"
             issues+=("• pnpm-lock.yaml changed without any package.json modification")
           fi
 

From 037bec189ca0f8349f8d2b940279da7edd1f2eed Mon Sep 17 00:00:00 2001
From: shubham-mermaid <shubham@mermaidchart.com>
Date: Thu, 26 Jun 2025 17:43:06 +0530
Subject: [PATCH 2/2] Updated as per suggestions

---
 .github/workflows/validate-lockfile.yml | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/.github/workflows/validate-lockfile.yml b/.github/workflows/validate-lockfile.yml
index d3e9b58b6..6eb0a63ca 100644
--- a/.github/workflows/validate-lockfile.yml
+++ b/.github/workflows/validate-lockfile.yml
@@ -21,10 +21,7 @@ jobs:
         with:
           node-version: 20
 
-      - name: Install pnpm
-        uses: pnpm/action-setup@v3
-        with:
-          version: 8
+      - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
 
       - name: Validate pnpm-lock.yaml entries
         id: validate # give this step an ID so we can reference its outputs
@@ -33,20 +30,17 @@ jobs:
 
           # 1) No tarball references
           if grep -qF 'tarball:' pnpm-lock.yaml; then
-            echo "• Tarball references found"
             issues+=("• Tarball references found (forbidden)")
           fi
 
           # 2) No unwanted vitepress paths
           if grep -qF 'packages/mermaid/src/vitepress' pnpm-lock.yaml; then
-            echo "• Disallowed path 'packages/mermaid/src/vitepress'"
             issues+=("• Disallowed path 'packages/mermaid/src/vitepress' present. Run `rm -rf packages/mermaid/src/vitepress && pnpm install` to regenerate.")
           fi
 
           # 3) Lockfile only changes when package.json changes
           git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} > changed.txt
           if grep -q '^pnpm-lock.yaml$' changed.txt && ! grep -q 'package.json' changed.txt; then
-            echo "• pnpm-lock.yaml changed without any package.json modification"
             issues+=("• pnpm-lock.yaml changed without any package.json modification")
           fi