chore: add devcontainer and convert to pnpm (#47)

This patch sets up a devcontainer for working locally. As well as
converts to pnpm for the package manager.

Author: Garbee

.devcontainer/Dockerfile

@@ -0,0 +1,117 @@
+FROM node:24-bookworm-slim AS node-src
+FROM rhysd/actionlint:1.7.8 AS actionlint-src
+FROM ghcr.io/hadolint/hadolint:v2.14.0-debian AS hadolint-src
+FROM ghcr.io/zizmorcore/zizmor:1.21.0 AS zizmor-src
+
+# Just setting this one up for re-use so it only needs to be updated in one place.
+# Useful in case we add new stages so the same base is used everywhere.
+FROM ubuntu:noble-20260113 AS base-runtime
+
+FROM base-runtime AS dev-runtime
+
+SHELL ["/bin/bash", "-euC", "-o", "pipefail", "-c"]
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+ENV NODE_ENV=development \
+    NPM_CONFIG_PREFIX=/usr/local \
+    PNPM_HOME=/opt/pnpm \
+    PNPM_STORE_PATH=/pnpm-store \
+    PATH="/home/ubuntu/.local/bin:/usr/local/lib/node_modules/bin:/opt/pnpm:/usr/local/go/bin:/usr/local/bin:/usr/bin:${PATH}"
+
+RUN <<EOF
+GLOBAL_NODE_MODULES="/usr/local/lib/node_modules"
+groupadd -r docker
+usermod -aG staff ubuntu
+usermod -aG docker ubuntu
+usermod -aG docker root
+chown -R root:staff /usr/local/bin
+mkdir -p "${GLOBAL_NODE_MODULES}" \
+  "${PNPM_HOME}" \
+  "${PNPM_STORE_PATH}" \
+  /etc/apt/sources.list.d \
+  /etc/apt/keyrings
+chmod 755 /etc/apt/keyrings
+chmod 755 /etc/apt/sources.list.d
+chmod -R 0775 "${PNPM_HOME}" "${GLOBAL_NODE_MODULES}" /usr/local/bin
+chmod -R 0777 "${PNPM_STORE_PATH}"
+chown -R ubuntu:staff "${PNPM_HOME}" "${PNPM_STORE_PATH}" "${GLOBAL_NODE_MODULES}"
+chmod -R g+sw "${PNPM_HOME}" "${PNPM_STORE_PATH}" "${GLOBAL_NODE_MODULES}"
+EOF
+
+# Bring in toolchains/artifacts (optimized with --link)
+COPY --link --from=hadolint-src   /bin/hadolint /usr/local/bin/
+COPY --link --from=zizmor-src      /usr/bin/zizmor /usr/local/bin/zizmor
+## Actionlint also has shellcheck in its bin
+COPY --link --from=actionlint-src  /usr/local/bin/ /usr/local/bin/
+
+# Symlink-dependent toolchains (cannot use --link)
+COPY --from=node-src \
+  --chown=0:50 \
+  --exclude=*CHANGELOG.md \
+  --exclude=*README.md \
+  --exclude=bin/docker-entrypoint.sh \
+  /usr/local/ /usr/local/
+COPY --from=node-src \
+  --chown=0:50 \
+  /opt /opt
+
+RUN --mount=type=cache,target=/var/cache/apt,id=apt-archives,sharing=shared \
+  --mount=type=cache,target=/var/lib/apt/lists,id=apt-lists,sharing=locked \
+  <<EOF
+apt-get update
+apt-get install -y --no-install-recommends \
+  curl \
+  software-properties-common \
+  ca-certificates
+curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null
+chmod 0044 /etc/apt/keyrings/githubcli-archive-keyring.gpg
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null
+apt-get update
+apt-get install -y --no-install-recommends \
+  gh \
+  git \
+  sudo
+
+# Setup sudo access
+echo "ubuntu ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ubuntu
+chmod 0440 /etc/sudoers.d/ubuntu
+
+# Global npm configuration
+## This sets config for both root and regular users.
+## Use the heredoc syntax so we also get comments in the image for reference in-use.
+cat > /usr/local/etc/npmrc <<EONPMRC
+## Disable funding messages and automatic audits
+fund=false
+audit=false
+## Prefer the offline modules when possible to speed up installs
+## Particularly useful in CI environments with caching enabled
+prefer-offline=true
+## Help network or registry issues by massaging the network config
+## It is balanced to slowly back off up to the 120ms max on the
+## final attempt.
+## It should go like this: 3.75s, 7.5s, 15s, 30s, 60s, 120s.
+## We politely back-off and delay instead of rushing retries
+## so the registry is not hammered to cause an outage.
+fetch-retries=6
+fetch-retry-factor=2
+fetch-retry-mintimeout=3750
+fetch-retry-maxtimeout=120000
+## Setup logging to be more efficient for containers
+## Keep the default log level, but discard logs going to a fail.
+loglevel=notice
+logs-dir=/dev/null
+EONPMRC
+
+# Install pnpm globally
+curl -fsSL https://get.pnpm.io/install.sh | \
+  env PNPM_HOME="${PNPM_HOME}" \
+      SHELL=/bin/bash \
+  bash -
+
+# Install GitHub copilot
+curl -fsSL https://gh.io/copilot-install | bash
+
+EOF
+
+WORKDIR /workspace

.devcontainer/devcontainer.json

@@ -0,0 +1,24 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/typescript-node
+{
+	"name": "Runner Resource Usage",
+	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+	"build": {
+		"dockerfile": "Dockerfile"
+	},
+
+	// Features to add to the dev container. More info: https://containers.dev/features.
+	// "features": {},
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	// "postCreateCommand": "yarn install",
+
+	// Configure tool-specific properties.
+	// "customizations": {},
+
+	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+	"remoteUser": "ubuntu"
+}

.github/agents/trunk-based-dev.agent.md

@@ -466,20 +466,20 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: '24'
-          cache: 'npm'
-      - run: npm ci
-      - run: npm test
-      - run: npm run build
-      
+          cache: 'pnpm'
+      - run: pnpm ci
+      - run: pnpm test
+      - run: pnpm build
+
   dist-check:
     runs-on: ubuntu-24.04
     timeout-minutes: 5
     steps:
       - uses: actions/checkout@v4
       - name: Verify dist/ is up to date
         run: |
-          npm ci
-          npm run build
+          pnpm ci
+          pnpm build
           git diff --exit-code dist/
 ```
 

.github/workflows/actionlint.yml

@@ -45,7 +45,7 @@ jobs:
         run: actionlint -format "$(cat .github/formatters/actionlint-sarif.gotmpl)" .github/workflows/*.yml > actionlint.sarif
       - name: Upload SARIF File
         if: ${{ always() }} # Ensure this runs even if the actionlint step fails, so we get results in the Security tab.
-        uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
         with:
           sarif_file: actionlint.sarif
           category: actionlint

.github/workflows/codeql.yml

@@ -36,11 +36,11 @@ jobs:
       - name: Start Workflow Telemetry
         uses: ./
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
+        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql/codeql-config.yml
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
+        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/copilot-setup-steps.yml

@@ -46,13 +46,15 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
+      - name: Setup pnpm
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
       - name: Setup Node.js
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version-file: .node-version
-          cache: npm
+          cache: pnpm
       - name: Install Dependencies
-        run: npm ci
+        run: pnpm install
       - name: Install Actionlint
         env:
           TMP_DIR: ${{ runner.temp }}

.github/workflows/test-action.yml

@@ -40,16 +40,20 @@ jobs:
       - name: Start Workflow Telemetry
         uses: ./
 
+      - name: Setup pnpm
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+
       - name: Setup Node.js
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
-          node-version: "24"
+          node-version-file: .node-version
+          cache: pnpm
 
       - name: Install Dependencies
-        run: npm ci
+        run: pnpm install
 
       - name: Run Tests
-        run: npm test
+        run: pnpm test
 
   test-resource-load:
     name: Test with Resources Under Load (${{ matrix.os }})
@@ -87,7 +91,7 @@ jobs:
         run: |
           set -euo pipefail
           echo "Starting CPU-intensive activity for 15 seconds..."
-          
+
           # Create test file based on OS
           if [[ "$RUNNER_OS" == "Windows" ]]; then
             echo "Creating 5GB test file on Windows..."
@@ -134,7 +138,7 @@ jobs:
         run: |
           set -euo pipefail
           echo "Starting memory-intensive activity for 15 seconds..."
-          
+
           # Determine memory allocation size based on OS
           # macOS runners have less memory available, so we allocate less
           if [[ "$RUNNER_OS" == "macOS" ]]; then
@@ -144,7 +148,7 @@ jobs:
             export ARRAY_COUNT=50
             echo "Running on $RUNNER_OS - allocating ~500MB of memory"
           fi
-          
+
           node -e "
           const arrays = [];
           const startTime = Date.now();

.gitignore

@@ -135,6 +135,7 @@ build/Release
 
 # Dependency directories
 node_modules/
+.pnpm-store/
 jspm_packages/
 
 # Snowpack dependency directory (https://snowpack.dev/)

CLAUDE.md

@@ -38,8 +38,8 @@ When updating one, update the other accordingly. Note that action.yml's descript
 Requires Node.js 24.x.
 
 ```bash
-npm ci                         # Install dependencies
-npm test                       # Run all tests
+pnpm install   # Install dependencies
+pnpm test      # Run all tests
 ```
 
 ## Architecture

README.md

@@ -115,7 +115,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Run tests
-        run: npm test
+        run: pnpm test
 
       # ... other steps
 ```
@@ -149,7 +149,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Run tests
-        run: npm test
+        run: pnpm test
 
       # ... other steps
 ```
@@ -196,7 +196,7 @@ The `runner.debug` context is documented in the [GitHub Actions contexts referen
 ### 1. Install Dependencies
 
 ```bash
-npm ci
+pnpm ci
 ```
 
 This automatically runs gitleaks on commit.
@@ -206,10 +206,10 @@ It checks for sensitive information like API keys or tokens.
 
 ```bash
 # Bundle for operation in a workflow
-npm run build
+pnpm build
 
 # Run unit tests (Node test runner)
-npm test
+pnpm test
 ```
 
 ## Project Structure