@codfish/actions 1.1.0 → 2.0.0

package/.github/workflows/claude.yml

@@ -24,7 +24,6 @@ jobs:
       contents: read
       pull-requests: read
       issues: read
-      id-token: write
 
     steps:
       - name: Checkout repository

package/AGENT.md

@@ -62,7 +62,8 @@ This project uses **pnpm** as the package manager. All commands should use pnpm:
 - `comment` - Creates or updates pull request comments with intelligent upsert functionality using unique tags
   - **IMPORTANT**: Any job using the comment action must include `permissions: pull-requests: write`
 - `setup-node-and-install` - Sets up Node.js environment and installs dependencies with automatic package manager
-  detection, intelligent caching, and .nvmrc/.node-version support
+  detection, intelligent caching, and dynamic Node version detection via input, `.node-version`, `.nvmrc`, or
+  `package.json` `volta.node`. Validation is relaxed; the action no longer fails when no version is detected.
 
 ## Testing
 
@@ -127,3 +128,22 @@ The project implements multiple security measures:
 - **Vulnerability auditing**: Regular pnpm audit checks
 - **Note**: Dependency review requires GitHub Advanced Security (available free on public repos, paid feature for
   private repos)
+
+## Code Quality and File Editing Rules
+
+### Bats File Editing Rules
+
+**CRITICAL**: After editing any `.bats` file, ALWAYS check for and remove trailing spaces:
+
+1. Run: `grep -n " $" path/to/file.bats`
+2. If any trailing spaces are found, remove them immediately
+3. Bats files are NOT automatically formatted by eslint/prettier, so manual cleanup is required
+4. Trailing spaces in bats files can cause test execution issues
+
+### General File Editing Guidelines
+
+- Do what has been asked; nothing more, nothing less
+- NEVER create files unless they're absolutely necessary for achieving your goal
+- ALWAYS prefer editing an existing file to creating a new one
+- NEVER proactively create documentation files (\*.md) or README files. Only create documentation files if explicitly
+  requested by the User

package/README.md

@@ -67,7 +67,7 @@ automatically comments on PR
 
 | Input          | Description                                                                         | Required | Default          |
 | -------------- | ----------------------------------------------------------------------------------- | -------- | ---------------- |
-| `npm-token`    | Registry authentication token with publish permissions (works with npm/yarn/pnpm)   | No       | -                |
+| `npm-token`    | Registry authentication token with publish permissions (works with npm/yarn/pnpm)   | Yes      | -                |
 | `github-token` | GitHub token with pull request comment permissions (typically secrets.GITHUB_TOKEN) | Yes      | -                |
 | `comment`      | Whether to comment on the PR with the published version (true/false)                | No       | `true`           |
 | `comment-tag`  | Tag to use for PR comments (for comment identification and updates)                 | No       | `npm-publish-pr` |
@@ -101,16 +101,21 @@ steps:
 ### [setup-node-and-install](./setup-node-and-install/)
 
 Sets up Node.js environment and installs dependencies with automatic package manager detection (npm/pnpm/yarn),
-intelligent caching, and .nvmrc/.node-version support
+intelligent caching, and version detection via input, .node-version, .nvmrc, or package.json volta.node
 
 **Inputs:**
 
-| Input               | Description                                                                                           | Required | Default |
-| ------------------- | ----------------------------------------------------------------------------------------------------- | -------- | ------- |
-| `node-version`      | Node.js version to install (e.g. '24', 'lts/\*'). Defaults to .nvmrc or .node-version file if present | No       | -       |
-| `cache-key-suffix`  | Additional suffix for cache key to enable multiple caches per workflow                                | No       | -       |
-| `install-options`   | Extra command-line options to pass to npm/pnpm/yarn install                                           | No       | -       |
-| `working-directory` | Directory containing package.json and lockfile                                                        | No       | `.`     |
+| Input               | Description                                                                                                                          | Required | Default |
+| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | -------- | ------- |
+| `node-version`      | Node.js version to install (e.g. "24", "lts/\*"). Precedence: node-version input > .node-version > .nvmrc > package.json volta.node. | No       | -       |
+| `install-options`   | Extra command-line options to pass to npm/pnpm/yarn install.                                                                         | No       | -       |
+| `working-directory` | Directory containing package.json and lockfile.                                                                                      | No       | `.`     |
+
+**Outputs:**
+
+| Output      | Description                                        |
+| ----------- | -------------------------------------------------- |
+| `cache-hit` | Whether the dependency cache was hit (true/false). |
 
 **Usage:**
 

package/npm-publish-pr/README.md

@@ -1,4 +1,4 @@
-# npm-pr-version
+# npm-publish-pr
 
 Publishes packages with PR-specific version numbers for testing in downstream applications before merging. Automatically
 detects your package manager (npm, yarn, or pnpm) and uses the appropriate publish command. The action generates
@@ -102,7 +102,7 @@ The package is published under the `pr` tag, so it won't interfere with your reg
 
 | Input          | Description                                                                         | Required | Default          |
 | -------------- | ----------------------------------------------------------------------------------- | -------- | ---------------- |
-| `npm-token`    | Registry authentication token with publish permissions (works with npm/yarn/pnpm)   | No       | -                |
+| `npm-token`    | Registry authentication token with publish permissions (works with npm/yarn/pnpm)   | Yes      | -                |
 | `github-token` | GitHub token with pull request comment permissions (typically secrets.GITHUB_TOKEN) | Yes      | -                |
 | `comment`      | Whether to comment on the PR with the published version (true/false)                | No       | `true`           |
 | `comment-tag`  | Tag to use for PR comments (for comment identification and updates)                 | No       | `npm-publish-pr` |

package/npm-publish-pr/action.yml

@@ -6,7 +6,7 @@ description:
 
 inputs:
   npm-token:
-    required: false
+    required: true
     description: Registry authentication token with publish permissions (works with npm/yarn/pnpm)
   github-token:
     required: true
@@ -53,11 +53,18 @@ runs:
         package_name=""
         version=""
 
+        # Function to sanitize error messages for GitHub output
+        sanitize_error() {
+          local message="$1"
+          # Replace newlines with spaces, remove extra whitespace, truncate if too long
+          echo "$message" | tr '\n' ' ' | tr -s ' ' | cut -c1-500
+        }
+
         # Validate package.json exists
         if [ ! -f "package.json" ]; then
           error_message="❌ ERROR: package.json not found in current directory. Make sure you're running this action in a directory with a package.json file"
           echo "$error_message"
-          echo "error-message=$error_message" >> $GITHUB_OUTPUT
+          echo "error-message=$(sanitize_error "$error_message")" >> $GITHUB_OUTPUT
           exit 1
         fi
 
@@ -65,7 +72,7 @@ runs:
         if ! jq empty package.json 2>/dev/null; then
           error_message="❌ ERROR: package.json is not valid JSON"
           echo "$error_message"
-          echo "error-message=$error_message" >> $GITHUB_OUTPUT
+          echo "error-message=$(sanitize_error "$error_message")" >> $GITHUB_OUTPUT
           exit 1
         fi
 
@@ -74,7 +81,7 @@ runs:
         if [ -z "$package_name" ] || [ "$package_name" = "null" ]; then
           error_message="❌ ERROR: package.json must have a 'name' field"
           echo "$error_message"
-          echo "error-message=$error_message" >> $GITHUB_OUTPUT
+          echo "error-message=$(sanitize_error "$error_message")" >> $GITHUB_OUTPUT
           exit 1
         fi
 
@@ -104,29 +111,29 @@ runs:
         if [ $version_exit_code -ne 0 ]; then
           error_message="❌ ERROR: Failed to update package version. Check if the version format is valid. Error: $version_output"
           echo "$error_message"
-          echo "error-message=$error_message" >> $GITHUB_OUTPUT
+          echo "error-message=$(sanitize_error "$error_message")" >> $GITHUB_OUTPUT
           exit 1
         fi
 
         # Publish package based on detected package manager
         case "$package_manager" in
           "yarn")
-            publish_output=$(yarn publish --access public --tag pr --new-version $version --no-git-tag-version 2>&1)
+            publish_output=$(yarn publish --access public --tag pr --new-version $version --no-git-tag-version --skip-check-working-tree 2>&1)
             publish_exit_code=$?
             if [ $publish_exit_code -ne 0 ]; then
               error_message="❌ ERROR: Failed to publish package with yarn. Error: $publish_output"
               echo "$error_message"
-              echo "error-message=$error_message" >> $GITHUB_OUTPUT
+              echo "error-message=$(sanitize_error "$error_message")" >> $GITHUB_OUTPUT
               exit 1
             fi
             ;;
           "pnpm")
-            publish_output=$(pnpm publish --access public --tag pr 2>&1)
+            publish_output=$(pnpm publish --no-git-checks --access public --tag pr 2>&1)
             publish_exit_code=$?
             if [ $publish_exit_code -ne 0 ]; then
               error_message="❌ ERROR: Failed to publish package with pnpm. Error: $publish_output"
               echo "$error_message"
-              echo "error-message=$error_message" >> $GITHUB_OUTPUT
+              echo "error-message=$(sanitize_error "$error_message")" >> $GITHUB_OUTPUT
               exit 1
             fi
             ;;
@@ -136,7 +143,7 @@ runs:
             if [ $publish_exit_code -ne 0 ]; then
               error_message="❌ ERROR: Failed to publish package with npm. Error: $publish_output"
               echo "$error_message"
-              echo "error-message=$error_message" >> $GITHUB_OUTPUT
+              echo "error-message=$(sanitize_error "$error_message")" >> $GITHUB_OUTPUT
               exit 1
             fi
             ;;
@@ -156,7 +163,7 @@ runs:
 
           Error: ${{ steps.publish.outputs.error-message }}
 
-          Please check the workflow logs for more details.
+          📋 [View workflow logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more details.
         upsert: true
         tag: ${{ inputs.comment-tag }}
 
@@ -166,6 +173,6 @@ runs:
         message: |
           ✅ **PR package published successfully!**
 
-          Install with: `npm install ${{ steps.publish.outputs.package-name }}@${{ steps.publish.outputs.version }}`
+          Install with: <code>npm install ${{ steps.publish.outputs.package-name }}@${{ steps.publish.outputs.version }}</code>
         upsert: true
         tag: ${{ inputs.comment-tag }}

package/package.json

@@ -4,7 +4,7 @@
   "description": "Composite GitHub Actions for my projects.",
   "author": "Chris O'Donnell <chris@codfish.dev>",
   "license": "MIT",
-  "version": "1.1.0",
+  "version": "2.0.0",
   "publishConfig": {
     "access": "public"
   },

package/setup-node-and-install/README.md

@@ -1,14 +1,14 @@
 # setup-node-and-install
 
 Sets up Node.js environment and installs dependencies with automatic package manager detection, intelligent caching, and
-.nvmrc/.node-version support.
+dynamic Node version detection via the `node-version` input, `.node-version`, `.nvmrc`, or `package.json` `volta.node`.
 
 This action provides the following functionality:
 
 - Automatically detects package manager (npm, yarn, or pnpm) from lockfiles
 - Uses GitHub's official `setup-node` action with optimized caching
 - Installs dependencies with appropriate commands based on detected package manager
-- Supports .nvmrc and .node-version files for version specification
+- Supports `.node-version`, `.nvmrc`, and `package.json` `volta.node` for version specification
 - Intelligent caching of node_modules when lockfiles are present
 
 <!-- DOCTOC SKIP -->
@@ -30,8 +30,10 @@ steps:
   - run: npm test
 ```
 
-The `node-version` input is optional. If not supplied, this action will attempt to use an `.nvmrc` file in your project.
-If neither is supplied, it will fail your workflow.
+The `node-version` input is optional. If not supplied, this action will attempt to resolve a version using, in order:
+
+1. `.node-version`, 2) `.nvmrc`, 3) `package.json` `volta.node`. If none are present, `actions/setup-node` runs without
+   an explicit version and will use its default behavior.
 
 The `cache-key-suffix` input is optional. If not supplied, no suffix will be applied to the cache key used to restore
 cache in subsequent workflow runs.
@@ -69,25 +71,25 @@ steps:
   - run: npm test
 ```
 
-## Node Version File Priority
+## Node Version Resolution Priority
 
 When multiple version specification methods are present, the action uses this priority order:
 
 1. **Input parameter** (`node-version`) - highest priority
-2. **`.nvmrc` file** - takes precedence over .node-version
-3. **`.node-version` file** - used if no .nvmrc exists
-4. **Error** - if none of the above are present
+2. **`.node-version` file**
+3. **`.nvmrc` file**
+4. **`package.json` `volta.node` property**
+5. **`actions/setup-node` default behavior** when no version is specified
 
 ## Inputs
 
 <!-- start inputs -->
 
-| Input               | Description                                                                                           | Required | Default |
-| ------------------- | ----------------------------------------------------------------------------------------------------- | -------- | ------- |
-| `node-version`      | Node.js version to install (e.g. '24', 'lts/\*'). Defaults to .nvmrc or .node-version file if present | No       | -       |
-| `cache-key-suffix`  | Additional suffix for cache key to enable multiple caches per workflow                                | No       | -       |
-| `install-options`   | Extra command-line options to pass to npm/pnpm/yarn install                                           | No       | -       |
-| `working-directory` | Directory containing package.json and lockfile                                                        | No       | `.`     |
+| Input               | Description                                                                                                                          | Required | Default |
+| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | -------- | ------- |
+| `node-version`      | Node.js version to install (e.g. "24", "lts/\*"). Precedence: node-version input > .node-version > .nvmrc > package.json volta.node. | No       | -       |
+| `install-options`   | Extra command-line options to pass to npm/pnpm/yarn install.                                                                         | No       | -       |
+| `working-directory` | Directory containing package.json and lockfile.                                                                                      | No       | `.`     |
 
 <!-- end inputs -->
 

package/setup-node-and-install/action.yml

@@ -2,39 +2,35 @@ name: setup-node-and-install
 
 description:
   Sets up Node.js environment and installs dependencies with automatic package manager detection (npm/pnpm/yarn),
-  intelligent caching, and .nvmrc/.node-version support
+  intelligent caching, and version detection via input, .node-version, .nvmrc, or package.json volta.node
 
 inputs:
   node-version:
-    description: Node.js version to install (e.g. '24', 'lts/*'). Defaults to .nvmrc or .node-version file if present
+    description:
+      'Node.js version to install (e.g. "24", "lts/*"). Precedence: node-version input > .node-version > .nvmrc >
+      package.json volta.node.'
     required: false
-  cache-key-suffix:
-    description: Additional suffix for cache key to enable multiple caches per workflow
-    default: ''
   install-options:
-    description: Extra command-line options to pass to npm/pnpm/yarn install
+    description: Extra command-line options to pass to npm/pnpm/yarn install.
     default: ''
   working-directory:
-    description: Directory containing package.json and lockfile
+    description: Directory containing package.json and lockfile.
     default: .
 
-outputs: {}
+outputs:
+  cache-hit:
+    description: Whether the dependency cache was hit (true/false).
+    value: "${{ steps.setup-node.outputs.cache-hit == 'true' && 'true' || 'false' }}"
 
 runs:
   using: composite
 
   steps:
-    - name: Validate inputs and detect package manager
-      id: setup
+    - name: Validate environment and detect package manager
+      id: detect-package-manager
       working-directory: ${{ inputs.working-directory }}
       shell: bash
       run: |
-        # Validate working directory exists
-        if [ ! -d "." ]; then
-          echo "❌ ERROR: Working directory '${{ inputs.working-directory }}' does not exist"
-          exit 1
-        fi
-
         # Validate package.json exists
         if [ ! -f "./package.json" ]; then
           echo "❌ ERROR: package.json not found in '${{ inputs.working-directory }}'"
@@ -42,48 +38,6 @@ runs:
           exit 1
         fi
 
-        # Validate package.json is valid JSON
-        if ! jq empty package.json 2>/dev/null; then
-          echo "❌ ERROR: package.json is not valid JSON"
-          exit 1
-        fi
-
-        # Check Node version requirements (.nvmrc, .node-version, or input)
-        if [[ ! -f "./.nvmrc" && ! -f "./.node-version" && -z "$INPUT_NODE_VERSION" ]]; then
-          echo "node-version-missing=true" >> $GITHUB_OUTPUT
-          exit
-        fi
-
-        # Validate .nvmrc format if it exists
-        if [ -f "./.nvmrc" ]; then
-          nvmrc_version=$(cat .nvmrc | tr -d '\n\r' | xargs)
-          if [ -z "$nvmrc_version" ]; then
-            echo "❌ ERROR: .nvmrc file is empty"
-            exit 1
-          fi
-          echo "📋 Found .nvmrc with Node version: $nvmrc_version"
-        fi
-
-        # Validate .node-version format if it exists (and no .nvmrc)
-        if [ -f "./.node-version" ] && [ ! -f "./.nvmrc" ]; then
-          node_version_file=$(cat .node-version | tr -d '\n\r' | xargs)
-          if [ -z "$node_version_file" ]; then
-            echo "❌ ERROR: .node-version file is empty"
-            exit 1
-          fi
-          echo "📋 Found .node-version with Node version: $node_version_file"
-        fi
-
-        # Show priority info if both files exist
-        if [ -f "./.nvmrc" ] && [ -f "./.node-version" ]; then
-          echo "📋 Both .nvmrc and .node-version found, .nvmrc takes priority"
-        fi
-
-        # Validate node-version input format if provided
-        if [ -n "$INPUT_NODE_VERSION" ]; then
-          echo "📋 Using Node version from input: $INPUT_NODE_VERSION"
-        fi
-
         # Detect package manager based on lockfiles (including yarn)
         if [ -f "./pnpm-lock.yaml" ]; then
           echo "package-manager=pnpm" >> $GITHUB_OUTPUT
@@ -106,115 +60,134 @@ runs:
           echo "lockfile-path=" >> $GITHUB_OUTPUT
           echo "📦 No lockfile found, defaulting to: npm"
         fi
-      env:
-        INPUT_NODE_VERSION: ${{ inputs.node-version }}
-
-    - if: steps.setup.outputs.node-version-missing == 'true'
-      uses: actions/github-script@v7
-      with:
-        script: |
-          core.setFailed('You need to create an .nvmrc file, .node-version file, or pass a value in the `node-version` input.')
 
     - name: Install pnpm
-      if: steps.setup.outputs.package-manager == 'pnpm'
+      if: steps.detect-package-manager.outputs.package-manager == 'pnpm'
       uses: pnpm/action-setup@v4
       with:
         run_install: false
 
-    - name: Setup node with .nvmrc
-      if: ${{ inputs.node-version != '' || hashFiles(format('{0}/.nvmrc', inputs.working-directory)) != '' }}
-      uses: actions/setup-node@v5
-      id: setup-node
-      with:
-        # use detected package manager cache if a lockfile is present
-        cache: ${{ steps.setup.outputs.lockfile-exists == 'true' && steps.setup.outputs.package-manager || '' }}
-        # supplying a node-version input will override the .nvmrc file and give a warning, but that's to be expected.
-        cache-dependency-path: ${{ inputs.working-directory }}
-        node-version: ${{ inputs.node-version }}
-        node-version-file: '${{ inputs.working-directory }}/.nvmrc'
-        registry-url: 'https://registry.npmjs.org'
-
-    - name: Read .node-version file
-      if:
-        ${{ inputs.node-version == '' && hashFiles(format('{0}/.nvmrc', inputs.working-directory)) == '' &&
-        hashFiles(format('{0}/.node-version', inputs.working-directory)) != '' }}
-      id: read-node-version
+    # Detect Node.js version to use (input > .node-version > .nvmrc > package.json volta.node)
+    - name: Detect node version
+      id: detect-node-version
       working-directory: ${{ inputs.working-directory }}
       shell: bash
       run: |
-        node_version=$(cat .node-version | tr -d '\n\r' | xargs)
-        echo "node-version=$node_version" >> $GITHUB_OUTPUT
-        echo "📋 Read Node version from .node-version: $node_version"
-
-    - name: Setup node with .node-version
-      if:
-        ${{ inputs.node-version == '' && hashFiles(format('{0}/.nvmrc', inputs.working-directory)) == '' &&
-        hashFiles(format('{0}/.node-version', inputs.working-directory)) != '' }}
+        resolved_version=""
+
+        if [ -n "${INPUT_NODE_VERSION}" ]; then
+          resolved_version="$INPUT_NODE_VERSION"
+          echo "📋 Using Node version from input: $resolved_version"
+        elif [ -f "./.node-version" ]; then
+          file_version=$(cat ./.node-version | tr -d '\n\r' | xargs)
+          if [ -n "$file_version" ]; then
+            resolved_version="$file_version"
+            echo "📋 Using Node version from .node-version: $resolved_version"
+          fi
+        fi
+
+        if [ -z "$resolved_version" ] && [ -f "./.nvmrc" ]; then
+          nvmrc_version=$(cat ./.nvmrc | tr -d '\n\r' | xargs)
+          if [ -n "$nvmrc_version" ]; then
+            resolved_version="$nvmrc_version"
+            echo "📋 Using Node version from .nvmrc: $resolved_version"
+          fi
+        fi
+
+        if [ -z "$resolved_version" ]; then
+          volta_node=$(jq -r '.volta.node // empty' package.json 2>/dev/null || true)
+          if [ -n "$volta_node" ]; then
+            resolved_version="$volta_node"
+            echo "📋 Using Node version from package.json volta.node: $resolved_version"
+          fi
+        fi
+
+        echo "version=$resolved_version" >> $GITHUB_OUTPUT
+      env:
+        INPUT_NODE_VERSION: ${{ inputs.node-version }}
+
+    - name: Setup Node.js
       uses: actions/setup-node@v5
-      id: setup-node-alt
+      id: setup-node
       with:
-        # use detected package manager cache if a lockfile is present
-        cache: ${{ steps.setup.outputs.lockfile-exists == 'true' && steps.setup.outputs.package-manager || '' }}
+        # use detected package manager cache
+        cache: ${{ steps.detect-package-manager.outputs.package-manager }}
         cache-dependency-path: ${{ inputs.working-directory }}
-        node-version: ${{ steps.read-node-version.outputs.node-version }}
+        node-version: ${{ steps.detect-node-version.outputs.version }}
         registry-url: 'https://registry.npmjs.org'
 
-    # Install dependencies with pnpm
+    # apply `./node_modules` cache only if a lockfile is present
+    # Will remove the need to run install commands twice. Risk reduced by using a very specific cache key.
+    # Cache wont be used if the lockfile changes, package manager, node version, or OS changes.
+    - name: Setup node_modules dependency cache
+      if: steps.detect-package-manager.outputs.lockfile-exists == 'true'
+      uses: actions/cache@v4
+      id: cache
+      with:
+        path: ${{ inputs.working-directory }}/node_modules
+        key:
+          ${{ runner.os }}-node_modules-${{ steps.detect-package-manager.outputs.package-manager }}-${{
+          steps.setup-node.outputs.node-version }}-${{ hashFiles(format('{0}/{1}', inputs.working-directory,
+          steps.detect-package-manager.outputs.lockfile-path)) }}
+
     - name: Install dependencies with pnpm
-      if: steps.setup.outputs.package-manager == 'pnpm'
+      if: steps.detect-package-manager.outputs.package-manager == 'pnpm' && steps.cache.outputs.cache-hit != 'true'
       working-directory: ${{ inputs.working-directory }}
       shell: bash
       run: |
         echo "🔧 Installing dependencies with pnpm..."
-        if ! pnpm install $INPUT_INSTALL_OPTIONS; then
+        if [ "$LOCKFILE_EXISTS" = "true" ]; then
+          INPUT_INSTALL_OPTIONS="--frozen-lockfile $INPUT_INSTALL_OPTIONS"
+        else
+          echo "⚠️  Warning: No lockfile found, not using --frozen-lockfile"
+        fi
+        if ! pnpm i $INPUT_INSTALL_OPTIONS; then
           echo "❌ ERROR: pnpm install failed"
           exit 1
         fi
         echo "✅ pnpm install completed successfully"
       env:
         INPUT_INSTALL_OPTIONS: ${{ inputs.install-options }}
+        LOCKFILE_EXISTS: ${{ steps.detect-package-manager.outputs.lockfile-exists }}
 
-    # Install dependencies with yarn
     - name: Install dependencies with yarn
-      if: steps.setup.outputs.package-manager == 'yarn'
+      if: steps.detect-package-manager.outputs.package-manager == 'yarn' && steps.cache.outputs.cache-hit != 'true'
       working-directory: ${{ inputs.working-directory }}
       shell: bash
       run: |
         echo "🔧 Installing dependencies with yarn..."
-        if ! yarn install --frozen-lockfile $INPUT_INSTALL_OPTIONS; then
+        if [ "$LOCKFILE_EXISTS" = "true" ]; then
+          INPUT_INSTALL_OPTIONS="--frozen-lockfile $INPUT_INSTALL_OPTIONS"
+        else
+          echo "⚠️  Warning: No lockfile found, results may vary"
+        fi
+        if ! yarn install $INPUT_INSTALL_OPTIONS; then
           echo "❌ ERROR: yarn install failed"
           exit 1
         fi
         echo "✅ yarn install completed successfully"
       env:
         INPUT_INSTALL_OPTIONS: ${{ inputs.install-options }}
+        LOCKFILE_EXISTS: ${{ steps.detect-package-manager.outputs.lockfile-exists }}
 
-    # Install dependencies with npm (with lockfile)
-    - name: Install dependencies with npm (with lockfile)
-      if: steps.setup.outputs.lockfile-exists == 'true' && steps.setup.outputs.package-manager == 'npm'
+    - name: Install dependencies with npm
+      if: steps.detect-package-manager.outputs.package-manager == 'npm' && steps.cache.outputs.cache-hit != 'true'
       working-directory: ${{ inputs.working-directory }}
       shell: bash
       run: |
-        echo "🔧 Installing dependencies with npm ci..."
-        if ! npm ci --prefer-offline --no-audit $INPUT_INSTALL_OPTIONS; then
-          echo "❌ ERROR: npm ci failed"
-          exit 1
+        NPM_CMD=""
+        if [ "$LOCKFILE_EXISTS" = "true" ]; then
+          NPM_CMD="ci"
+        else
+          echo "⚠️  Warning: No lockfile found, versions may vary"
+          NPM_CMD="install"
         fi
-        echo "✅ npm ci completed successfully"
-      env:
-        INPUT_INSTALL_OPTIONS: ${{ inputs.install-options }}
-
-    - name: Install dependencies with npm (without lockfile)
-      if: steps.setup.outputs.lockfile-exists == 'false' && steps.setup.outputs.package-manager == 'npm'
-      working-directory: ${{ inputs.working-directory }}
-      shell: bash
-      run: |
-        echo "🔧 Installing dependencies with npm install..."
-        echo "⚠️  Warning: No lockfile found, versions may vary"
-        if ! npm install --no-save --prefer-offline --no-audit $INPUT_INSTALL_OPTIONS; then
-          echo "❌ ERROR: npm install failed"
+        echo "🔧 Installing dependencies with npm $NPM_CMD..."
+        if ! npm $NPM_CMD --no-save --prefer-offline --no-audit $INPUT_INSTALL_OPTIONS; then
+          echo "❌ ERROR: npm $NPM_CMD failed"
           exit 1
         fi
-        echo "✅ npm install completed successfully"
+        echo "✅ npm $NPM_CMD completed successfully"
       env:
         INPUT_INSTALL_OPTIONS: ${{ inputs.install-options }}
+        LOCKFILE_EXISTS: ${{ steps.detect-package-manager.outputs.lockfile-exists }}