@crossplatformai/dependency-graph 0.9.2

package/src/cli/validate-workflows.ts

@@ -0,0 +1,822 @@
+#!/usr/bin/env node
+
+import { readFileSync, existsSync, readdirSync } from 'node:fs';
+import { resolve, join } from 'node:path';
+import { parse as parseYaml } from 'yaml';
+
+/**
+ * Parse .gitmodules file and return a Set of submodule paths.
+ * Example: plugins/auth, plugins/design-system
+ */
+function parseGitmodules(rootDir: string): Set<string> {
+  const gitmodulesPath = join(rootDir, '.gitmodules');
+  if (!existsSync(gitmodulesPath)) {
+    return new Set();
+  }
+
+  const content = readFileSync(gitmodulesPath, 'utf-8');
+  const paths = new Set<string>();
+
+  // Match lines like: path = plugins/auth
+  const pathMatches = content.matchAll(/^\s*path\s*=\s*(.+)$/gm);
+  for (const match of pathMatches) {
+    const matchedPath = match[1];
+    if (matchedPath) {
+      paths.add(matchedPath.trim());
+    }
+  }
+
+  return paths;
+}
+
+/**
+ * Check if a given path is a git submodule.
+ */
+function isGitSubmodule(
+  pluginPath: string,
+  submodulePaths: Set<string>,
+): boolean {
+  return submodulePaths.has(pluginPath);
+}
+
+interface ValidationResult {
+  workflow: string;
+  app: string;
+  valid: boolean;
+  missing: string[];
+  unnecessary: string[];
+  issues: string[];
+}
+
+interface WorkflowConfig {
+  name: string;
+  on?: {
+    push?: {
+      paths?: string[];
+    };
+    pull_request?: {
+      paths?: string[];
+    };
+    workflow_dispatch?: unknown;
+  };
+}
+
+interface PackageJson {
+  name: string;
+  packageManager?: string;
+  dependencies?: Record<string, string>;
+  devDependencies?: Record<string, string>;
+}
+
+interface PnpmValidationResult {
+  valid: boolean;
+  workflowIssues: { workflow: string; issue: string }[];
+  dockerfileIssues: { dockerfile: string; issue: string }[];
+}
+
+/**
+ * Build a mapping of package names to their directory paths.
+ * Scans plugins/ and packages/ directories to discover actual package names.
+ * This handles any naming convention clients may use.
+ */
+function buildPackageMapping(rootDir: string): Map<string, string> {
+  const mapping = new Map<string, string>();
+
+  for (const dir of ['plugins', 'features', 'packages', 'apps']) {
+    const base = join(rootDir, dir);
+    if (!existsSync(base)) continue;
+
+    for (const entry of readdirSync(base, { withFileTypes: true })) {
+      if (!entry.isDirectory()) continue;
+      const pkgPath = join(base, entry.name, 'package.json');
+      if (existsSync(pkgPath)) {
+        try {
+          const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8')) as PackageJson;
+          if (pkg.name) {
+            mapping.set(pkg.name, `${dir}/${entry.name}`);
+          }
+        } catch {
+          // Skip malformed package.json files
+        }
+      }
+    }
+  }
+
+  return mapping;
+}
+
+/**
+ * Dynamically discover workflow mappings from file system.
+ * Looks for deploy-*.yml and release-*.yml patterns that match apps/ directories.
+ */
+function discoverWorkflowMappings(rootDir: string): Record<string, string> {
+  const workflowsDir = join(rootDir, '.github/workflows');
+  const appsDir = join(rootDir, 'apps');
+
+  if (!existsSync(workflowsDir) || !existsSync(appsDir)) {
+    return {};
+  }
+
+  const apps = readdirSync(appsDir, { withFileTypes: true })
+    .filter((d) => d.isDirectory())
+    .map((d) => d.name);
+
+  const mapping: Record<string, string> = {};
+
+  // Pattern: deploy-<app>.yml or release-<app>.yml
+  for (const app of apps) {
+    const deployWorkflow = `deploy-${app}.yml`;
+    const releaseWorkflow = `release-${app}.yml`;
+
+    if (existsSync(join(workflowsDir, deployWorkflow))) {
+      mapping[deployWorkflow] = app;
+    }
+    if (existsSync(join(workflowsDir, releaseWorkflow))) {
+      mapping[releaseWorkflow] = app;
+    }
+  }
+
+  return mapping;
+}
+
+/**
+ * Dynamically discover workflows that use pnpm/action-setup
+ */
+function discoverPnpmWorkflows(rootDir: string): string[] {
+  const workflowsDir = join(rootDir, '.github/workflows');
+  if (!existsSync(workflowsDir)) {
+    return [];
+  }
+
+  const workflows: string[] = [];
+  const files = readdirSync(workflowsDir).filter((f) => f.endsWith('.yml'));
+
+  for (const file of files) {
+    const content = readFileSync(join(workflowsDir, file), 'utf-8');
+    if (content.includes('pnpm/action-setup')) {
+      workflows.push(file);
+    }
+  }
+
+  return workflows;
+}
+
+/**
+ * Dynamically discover Dockerfiles that install pnpm
+ */
+function discoverPnpmDockerfiles(rootDir: string): string[] {
+  const dockerfiles: string[] = [];
+  const entries = readdirSync(rootDir);
+
+  for (const entry of entries) {
+    if (entry.startsWith('Dockerfile')) {
+      const content = readFileSync(join(rootDir, entry), 'utf-8');
+      if (content.includes('pnpm@')) {
+        dockerfiles.push(entry);
+      }
+    }
+  }
+
+  return dockerfiles;
+}
+
+/**
+ * Convert a dependency name to its folder path.
+ * Uses package mapping for accurate lookup, with fallback to legacy heuristics.
+ */
+function convertDependencyToFolder(
+  dep: string,
+  rootDir: string,
+  packageMapping?: Map<string, string>,
+): string {
+  // Try package mapping first (most accurate)
+  if (packageMapping) {
+    const relativePath = packageMapping.get(dep);
+    if (relativePath) {
+      return join(rootDir, relativePath);
+    }
+  }
+
+  // Fallback: Generic handling for @crossplatformai/ packages
+  if (dep.startsWith('@crossplatformai/')) {
+    const packageName = dep.replace('@crossplatformai/', '');
+
+    // Check plugins/ first (most common), then packages/
+    const pluginPath = join(rootDir, 'plugins', packageName);
+    if (existsSync(pluginPath)) {
+      return pluginPath;
+    }
+    return join(rootDir, 'packages', packageName);
+  }
+
+  // Fallback: Generic handling for @repo/ packages
+  if (dep.startsWith('@repo/')) {
+    const packageName = dep.replace('@repo/', '');
+
+    // Check apps/ first (e.g., @repo/shared → apps/shared)
+    const appsPath = join(rootDir, 'apps', packageName);
+    if (existsSync(appsPath)) {
+      return appsPath;
+    }
+
+    // Check plugins/ next
+    const pluginPath = join(rootDir, 'plugins', packageName);
+    if (existsSync(pluginPath)) {
+      return pluginPath;
+    }
+
+    // Fall back to packages/
+    return join(rootDir, 'packages', packageName);
+  }
+
+  // Unknown format, return as-is
+  return join(rootDir, dep);
+}
+
+/**
+ * Collect transitive dependencies recursively.
+ * @param packageJsonPath - Path to the package.json to analyze
+ * @param rootDir - Root directory of the monorepo
+ * @param visited - Set of already visited dependencies (prevents cycles)
+ * @param packageMapping - Mapping of package names to directory paths
+ * @param includeDevDeps - Whether to include devDependencies (true for root app, false for nested)
+ */
+function collectTransitiveDependencies(
+  packageJsonPath: string,
+  rootDir: string,
+  visited: Set<string>,
+  packageMapping: Map<string, string>,
+  includeDevDeps: boolean = true,
+): Set<string> {
+  const allTransitiveDeps = new Set<string>();
+
+  if (!existsSync(packageJsonPath)) {
+    return allTransitiveDeps;
+  }
+
+  const packageJson = JSON.parse(
+    readFileSync(packageJsonPath, 'utf-8'),
+  ) as PackageJson;
+
+  const allDeps = { ...packageJson.dependencies };
+  if (includeDevDeps) {
+    Object.assign(allDeps, packageJson.devDependencies);
+  }
+
+  // Detect workspace dependencies by their version specifier or presence in local workspace
+  // Supports:
+  // 1. workspace: protocol (e.g., workspace:*, workspace:^)
+  // 2. link: protocol (e.g., link:../../plugins/auth)
+  // 3. Legacy * syntax for @repo/ and @crossplatformai/ packages
+  // 4. Semver ranges that resolve to local packages in packageMapping
+  //    (pnpm workspace links local packages when they satisfy the version range)
+  const workspaceDeps = Object.entries(allDeps)
+    .filter(
+      ([name, version]) =>
+        version.startsWith('workspace:') ||
+        version.startsWith('link:') ||
+        (version === '*' &&
+          (name.startsWith('@repo/') ||
+            name.startsWith('@crossplatformai/'))) ||
+        packageMapping.has(name),
+    )
+    .map(([name]) => name);
+
+  for (const dep of workspaceDeps) {
+    if (visited.has(dep)) {
+      continue;
+    }
+
+    visited.add(dep);
+    allTransitiveDeps.add(dep);
+
+    // Get the folder for this dependency
+    const depFolder = convertDependencyToFolder(dep, rootDir, packageMapping);
+    const depPackageJsonPath = join(depFolder, 'package.json');
+
+    // Never include devDependencies for transitive deps - they are local tooling
+    const nestedDeps = collectTransitiveDependencies(
+      depPackageJsonPath,
+      rootDir,
+      visited,
+      packageMapping,
+      false,
+    );
+    for (const nestedDep of nestedDeps) {
+      allTransitiveDeps.add(nestedDep);
+    }
+  }
+
+  return allTransitiveDeps;
+}
+
+/**
+ * Get all transitive workspace dependencies for an app
+ */
+function getAppDependencies(
+  appName: string,
+  rootDir: string,
+  packageMapping: Map<string, string>,
+): string[] {
+  const packageJsonPath = join(rootDir, 'apps', appName, 'package.json');
+
+  if (!existsSync(packageJsonPath)) {
+    throw new Error(`Package.json not found for app: ${appName}`);
+  }
+
+  const visited = new Set<string>();
+  const deps = collectTransitiveDependencies(
+    packageJsonPath,
+    rootDir,
+    visited,
+    packageMapping,
+    true,
+  );
+  return Array.from(deps);
+}
+
+/**
+ * Convert a dependency name to its workflow path patterns.
+ * Uses package mapping for accurate lookup, with fallback to legacy heuristics.
+ *
+ * Returns an array of paths because git submodules need TWO entries:
+ * - `plugins/auth` (catches submodule pointer changes in parent repo)
+ * - `plugins/auth/**` (catches file changes within submodule)
+ */
+function convertDependencyToPath(
+  dep: string,
+  rootDir: string,
+  packageMapping?: Map<string, string>,
+  submodulePaths?: Set<string>,
+): string[] {
+  let relativePath: string | undefined;
+
+  // Try package mapping first (most accurate)
+  if (packageMapping) {
+    relativePath = packageMapping.get(dep);
+  }
+
+  // Fallback heuristics if not in package mapping
+  if (!relativePath) {
+    // Generic handling for @crossplatformai/ packages
+    if (dep.startsWith('@crossplatformai/')) {
+      const packageName = dep.replace('@crossplatformai/', '');
+
+      // Check plugins/ first (most common), then packages/
+      const pluginPath = join(rootDir, 'plugins', packageName);
+      if (existsSync(pluginPath)) {
+        relativePath = `plugins/${packageName}`;
+      } else {
+        relativePath = `packages/${packageName}`;
+      }
+    } else if (dep.startsWith('@repo/')) {
+      // Generic handling for @repo/ packages
+      const packageName = dep.replace('@repo/', '');
+
+      // Check apps/ first (e.g., @repo/shared → apps/shared)
+      const appsPath = join(rootDir, 'apps', packageName);
+      if (existsSync(appsPath)) {
+        relativePath = `apps/${packageName}`;
+      } else {
+        // Check plugins/ next
+        const pluginPath = join(rootDir, 'plugins', packageName);
+        if (existsSync(pluginPath)) {
+          relativePath = `plugins/${packageName}`;
+        } else {
+          // Check features/ next
+          const featuresPath = join(rootDir, 'features', packageName);
+          if (existsSync(featuresPath)) {
+            relativePath = `features/${packageName}`;
+          } else {
+            // Fall back to packages/
+            relativePath = `packages/${packageName}`;
+          }
+        }
+      }
+    } else {
+      // Unknown format, return as-is
+      return [dep];
+    }
+  }
+
+  // For submodules, return both the pointer path AND the glob path
+  // This catches both submodule pointer changes and file changes within the submodule
+  if (submodulePaths && isGitSubmodule(relativePath, submodulePaths)) {
+    return [relativePath, `${relativePath}/**`];
+  }
+
+  // For regular packages, just return the glob path
+  return [`${relativePath}/**`];
+}
+
+/**
+ * Get expected workflow paths for an app based on its transitive dependencies
+ */
+function getExpectedPaths(
+  appName: string,
+  rootDir: string,
+  workflowMapping: Record<string, string>,
+  packageMapping: Map<string, string>,
+  submodulePaths: Set<string>,
+): string[] {
+  const dependencies = getAppDependencies(appName, rootDir, packageMapping);
+  // Use flatMap because convertDependencyToPath now returns string[]
+  // (submodules return both pointer path and glob path)
+  const paths = dependencies.flatMap((dep) =>
+    convertDependencyToPath(dep, rootDir, packageMapping, submodulePaths),
+  );
+
+  paths.push(`apps/${appName}/**`);
+
+  const workflowFile = Object.entries(workflowMapping).find(
+    ([, app]) => app === appName,
+  )?.[0];
+  if (workflowFile) {
+    paths.push(`.github/workflows/${workflowFile}`);
+  }
+
+  // Auto-discover Dockerfiles for this app
+  const dockerfileName = `Dockerfile.${appName}`;
+  if (existsSync(join(rootDir, dockerfileName))) {
+    paths.push(dockerfileName);
+  }
+
+  return paths.sort();
+}
+
+/**
+ * Get actual paths from a workflow file
+ */
+function getWorkflowPaths(workflowFile: string, rootDir: string): string[] {
+  const workflowPath = join(rootDir, '.github/workflows', workflowFile);
+
+  if (!existsSync(workflowPath)) {
+    throw new Error(`Workflow file not found: ${workflowFile}`);
+  }
+
+  const content = readFileSync(workflowPath, 'utf-8');
+  const workflow = parseYaml(content) as WorkflowConfig;
+
+  // Check both push and pull_request triggers for paths
+  const paths = workflow.on?.push?.paths ?? workflow.on?.pull_request?.paths;
+
+  if (!paths) {
+    return [];
+  }
+
+  return paths.sort();
+}
+
+/**
+ * Get pnpm version from package.json packageManager field
+ */
+function getExpectedPnpmVersion(rootDir: string): string {
+  const packageJsonPath = join(rootDir, 'package.json');
+  const packageJson = JSON.parse(
+    readFileSync(packageJsonPath, 'utf-8'),
+  ) as PackageJson;
+  const packageManager = packageJson.packageManager;
+  if (!packageManager?.startsWith('pnpm@')) {
+    throw new Error('packageManager field must specify pnpm version');
+  }
+  return packageManager.replace('pnpm@', '');
+}
+
+/**
+ * Check if workflow has hardcoded pnpm version
+ */
+function checkWorkflowPnpmVersion(
+  workflowFile: string,
+  rootDir: string,
+): { valid: boolean; issue?: string } {
+  const workflowPath = join(rootDir, '.github/workflows', workflowFile);
+
+  if (!existsSync(workflowPath)) {
+    return { valid: true }; // Skip non-existent workflows
+  }
+
+  const content = readFileSync(workflowPath, 'utf-8');
+  const workflow = parseYaml(content) as {
+    jobs?: Record<
+      string,
+      { steps?: Array<{ uses?: string; with?: { version?: string | number } }> }
+    >;
+  };
+
+  // Find all pnpm/action-setup steps
+  for (const job of Object.values(workflow.jobs ?? {})) {
+    for (const step of job.steps ?? []) {
+      if (step.uses?.startsWith('pnpm/action-setup')) {
+        const version = step.with?.version;
+        // Allow major-only versions like "10" (deploy-api-edge.yml uses this)
+        if (version !== undefined && !/^\d+$/.test(String(version))) {
+          return {
+            valid: false,
+            issue: `Hardcoded pnpm version '${version}' - remove 'version' key to auto-detect from packageManager`,
+          };
+        }
+      }
+    }
+  }
+  return { valid: true };
+}
+
+/**
+ * Check all pnpm versions in Dockerfile match package.json
+ * Finds ALL occurrences of `npm install -g pnpm@X.Y.Z` and validates each one
+ */
+function checkDockerfilePnpmVersion(
+  dockerfile: string,
+  expectedVersion: string,
+  rootDir: string,
+): { valid: boolean; issue?: string } {
+  const dockerfilePath = join(rootDir, dockerfile);
+
+  if (!existsSync(dockerfilePath)) {
+    return { valid: true }; // Skip non-existent Dockerfiles
+  }
+
+  const content = readFileSync(dockerfilePath, 'utf-8');
+  const matches = content.matchAll(/npm install -g pnpm@([\d.]+)/g);
+
+  for (const match of matches) {
+    if (match[1] !== expectedVersion) {
+      return {
+        valid: false,
+        issue: `${dockerfile} uses pnpm@${match[1]} but package.json specifies pnpm@${expectedVersion}`,
+      };
+    }
+  }
+  return { valid: true };
+}
+
+/**
+ * Validate pnpm version consistency across workflows and Dockerfiles
+ */
+function validatePnpmVersions(rootDir: string): PnpmValidationResult {
+  const result: PnpmValidationResult = {
+    valid: true,
+    workflowIssues: [],
+    dockerfileIssues: [],
+  };
+
+  // Dynamically discover and check workflows for hardcoded pnpm versions
+  const pnpmWorkflows = discoverPnpmWorkflows(rootDir);
+  for (const workflowFile of pnpmWorkflows) {
+    const check = checkWorkflowPnpmVersion(workflowFile, rootDir);
+    if (!check.valid && check.issue) {
+      result.valid = false;
+      result.workflowIssues.push({
+        workflow: workflowFile,
+        issue: check.issue,
+      });
+    }
+  }
+
+  // Dynamically discover and check Dockerfiles match package.json pnpm version
+  const expectedVersion = getExpectedPnpmVersion(rootDir);
+  const dockerfiles = discoverPnpmDockerfiles(rootDir);
+  for (const dockerfile of dockerfiles) {
+    const check = checkDockerfilePnpmVersion(
+      dockerfile,
+      expectedVersion,
+      rootDir,
+    );
+    if (!check.valid && check.issue) {
+      result.valid = false;
+      result.dockerfileIssues.push({ dockerfile, issue: check.issue });
+    }
+  }
+
+  return result;
+}
+
+/**
+ * Validate a single workflow against its app's dependencies
+ */
+function validateWorkflow(
+  workflowFile: string,
+  appName: string,
+  rootDir: string,
+  workflowMapping: Record<string, string>,
+  packageMapping: Map<string, string>,
+  submodulePaths: Set<string>,
+): ValidationResult {
+  const result: ValidationResult = {
+    workflow: workflowFile,
+    app: appName,
+    valid: true,
+    missing: [],
+    unnecessary: [],
+    issues: [],
+  };
+
+  try {
+    const expectedPaths = getExpectedPaths(
+      appName,
+      rootDir,
+      workflowMapping,
+      packageMapping,
+      submodulePaths,
+    );
+    const actualPaths = getWorkflowPaths(workflowFile, rootDir);
+
+    if (actualPaths.includes('plugins/**')) {
+      result.issues.push(
+        "Uses wildcard 'plugins/**' which triggers on ALL plugin changes",
+      );
+      result.valid = false;
+    }
+
+    if (actualPaths.includes('packages/**')) {
+      result.issues.push(
+        "Uses wildcard 'packages/**' which triggers on ALL package changes",
+      );
+      result.valid = false;
+    }
+
+    const expectedPluginPaths = expectedPaths.filter((p) =>
+      p.startsWith('plugins/'),
+    );
+    const actualPluginPaths = actualPaths.filter(
+      (p) => p.startsWith('plugins/') && !p.includes('**/**'),
+    );
+
+    const expectedPackagePaths = expectedPaths.filter((p) =>
+      p.startsWith('packages/'),
+    );
+    const actualPackagePaths = actualPaths.filter(
+      (p) => p.startsWith('packages/') && !p.includes('**/**'),
+    );
+
+    // Also include apps/ paths in validation (e.g., apps/shared/**)
+    const expectedAppPaths = expectedPaths.filter((p) => p.startsWith('apps/'));
+    const actualAppPaths = actualPaths.filter(
+      (p) => p.startsWith('apps/') && !p.includes('**/**'),
+    );
+
+    for (const expectedPath of expectedPluginPaths) {
+      if (!actualPaths.includes(expectedPath)) {
+        result.missing.push(expectedPath);
+        result.valid = false;
+      }
+    }
+
+    for (const expectedPath of expectedPackagePaths) {
+      if (!actualPaths.includes(expectedPath)) {
+        result.missing.push(expectedPath);
+        result.valid = false;
+      }
+    }
+
+    for (const expectedPath of expectedAppPaths) {
+      if (!actualPaths.includes(expectedPath)) {
+        result.missing.push(expectedPath);
+        result.valid = false;
+      }
+    }
+
+    for (const actualPath of [
+      ...actualPluginPaths,
+      ...actualPackagePaths,
+      ...actualAppPaths,
+    ]) {
+      if (!expectedPaths.includes(actualPath)) {
+        result.unnecessary.push(actualPath);
+        result.valid = false;
+      }
+    }
+  } catch (error) {
+    result.valid = false;
+    result.issues.push(error instanceof Error ? error.message : String(error));
+  }
+
+  return result;
+}
+
+/**
+ * Print validation result to console
+ */
+function printResult(result: ValidationResult): void {
+  const icon = result.valid ? '✅' : '❌';
+  console.log(`\n${icon} ${result.workflow} (${result.app})`);
+
+  if (result.valid) {
+    console.log('   All paths match dependencies');
+    return;
+  }
+
+  if (result.issues.length > 0) {
+    console.log('   Issues:');
+    for (const issue of result.issues) {
+      console.log(`     ⚠️  ${issue}`);
+    }
+  }
+
+  if (result.missing.length > 0) {
+    console.log('   Missing paths:');
+    for (const path of result.missing) {
+      console.log(`     - ${path}`);
+    }
+  }
+
+  if (result.unnecessary.length > 0) {
+    console.log('   Unnecessary paths:');
+    for (const path of result.unnecessary) {
+      console.log(`     - ${path}`);
+    }
+  }
+}
+
+function main(): void {
+  const rootDir = resolve(process.cwd());
+  let hasErrors = false;
+
+  // Build package mapping once at startup for efficient lookups
+  const packageMapping = buildPackageMapping(rootDir);
+
+  // Parse .gitmodules once to detect submodule plugins
+  const submodulePaths = parseGitmodules(rootDir);
+
+  // Auto-discover workflow mappings from file system
+  const workflowMapping = discoverWorkflowMappings(rootDir);
+  const workflowCount = Object.keys(workflowMapping).length;
+
+  // Part 1: Validate workflow path filters match dependencies
+  console.log(
+    '🔍 Validating GitHub Actions workflows against dependencies...\n',
+  );
+  console.log(`Found ${workflowCount} workflow(s) to validate\n`);
+
+  if (workflowCount === 0) {
+    console.log('No deploy-*.yml or release-*.yml workflows found.\n');
+  }
+
+  const results: ValidationResult[] = [];
+
+  for (const [workflowFile, appName] of Object.entries(workflowMapping)) {
+    const result = validateWorkflow(
+      workflowFile,
+      appName,
+      rootDir,
+      workflowMapping,
+      packageMapping,
+      submodulePaths,
+    );
+    results.push(result);
+    printResult(result);
+  }
+
+  const validCount = results.filter((r) => r.valid).length;
+  const invalidCount = results.filter((r) => !r.valid).length;
+
+  console.log('\n' + '='.repeat(60));
+  console.log(
+    `\n📊 Path validation: ${validCount} valid, ${invalidCount} invalid\n`,
+  );
+
+  if (invalidCount > 0) {
+    console.log('❌ Some workflows need updates to match dependencies');
+    console.log('\nTo fix:');
+    console.log('1. Update workflow path filters to match missing paths');
+    console.log('2. Remove unnecessary paths');
+    console.log(
+      '3. Replace wildcards (plugins/**, packages/**) with specific paths\n',
+    );
+    hasErrors = true;
+  } else if (workflowCount > 0) {
+    console.log('✅ All workflows match their dependencies!\n');
+  }
+
+  // Part 2: Validate pnpm version consistency
+  console.log('='.repeat(60));
+  console.log('\n🔍 Validating pnpm version consistency...\n');
+
+  const pnpmResult = validatePnpmVersions(rootDir);
+
+  if (!pnpmResult.valid) {
+    console.log('❌ PNPM version issues found:\n');
+    for (const { workflow, issue } of pnpmResult.workflowIssues) {
+      console.log(`   ⚠️  ${workflow}: ${issue}`);
+    }
+    for (const { issue } of pnpmResult.dockerfileIssues) {
+      console.log(`   ⚠️  ${issue}`);
+    }
+    console.log('\nTo fix:');
+    console.log(
+      '1. Remove hardcoded pnpm versions from workflows (let pnpm/action-setup auto-detect from packageManager)',
+    );
+    console.log(
+      '2. Update Dockerfile pnpm versions to match package.json packageManager field\n',
+    );
+    hasErrors = true;
+  } else {
+    console.log('✅ PNPM versions are consistent!\n');
+  }
+
+  if (hasErrors) {
+    process.exit(1);
+  }
+}
+
+main();