lingodotdev · davidturnbull · Oct 22, 2025 · Oct 22, 2025 · Oct 22, 2025 · Oct 22, 2025
diff --git a/.changeset/reproducible-builds-parity.md b/.changeset/reproducible-builds-parity.md
@@ -0,0 +1,10 @@
+---
+"lingo.dev": patch
+"@lingo.dev/_compiler": patch
+"@lingo.dev/_locales": patch
+"@lingo.dev/_sdk": patch
+"@lingo.dev/_spec": patch
+"@lingo.dev/_react": patch
+---
+
+Adopt fully hermetic, reproducible builds with containerized local/CI parity; deterministic packaging and checksums; containerized PR/release workflows.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,162 @@
+name: CI
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, edited, synchronize]
+    branches: [main]
+
+jobs:
+  format:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build hermetic image
+        run: docker build -f Dockerfile.repro -t lingo-repro:20.12.2 .
+
+      - name: Prepare pnpm store path
+        run: echo "REPRO_PNPM_STORE=${{ runner.temp }}/pnpm-store" >> $GITHUB_ENV
+
+      - name: Cache pnpm store
+        uses: actions/cache@v3
+        with:
+          path: ${{ env.REPRO_PNPM_STORE }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Install deps (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm install --frozen-lockfile
+
+      - name: Check formatting (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm prettier . --check
+
+  typecheck:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build hermetic image
+        run: docker build -f Dockerfile.repro -t lingo-repro:20.12.2 .
+
+      - name: Prepare pnpm store path
+        run: echo "REPRO_PNPM_STORE=${{ runner.temp }}/pnpm-store" >> $GITHUB_ENV
+
+      - name: Cache pnpm store
+        uses: actions/cache@v3
+        with:
+          path: ${{ env.REPRO_PNPM_STORE }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Install deps (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm install --frozen-lockfile
+
+      - name: Typecheck (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm turbo typecheck
+
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build hermetic image
+        run: docker build -f Dockerfile.repro -t lingo-repro:20.12.2 .
+
+      - name: Prepare pnpm store path
+        run: echo "REPRO_PNPM_STORE=${{ runner.temp }}/pnpm-store" >> $GITHUB_ENV
+
+      - name: Cache pnpm store
+        uses: actions/cache@v3
+        with:
+          path: ${{ env.REPRO_PNPM_STORE }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Install deps (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm install --frozen-lockfile
+
+      - name: Build (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm turbo build --force
+
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build hermetic image
+        run: docker build -f Dockerfile.repro -t lingo-repro:20.12.2 .
+
+      - name: Prepare pnpm store path
+        run: echo "REPRO_PNPM_STORE=${{ runner.temp }}/pnpm-store" >> $GITHUB_ENV
+
+      - name: Cache pnpm store
+        uses: actions/cache@v3
+        with:
+          path: ${{ env.REPRO_PNPM_STORE }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Install deps (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm install --frozen-lockfile
+
+      - name: Test (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm turbo test
+
+  changeset:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build hermetic image
+        run: docker build -f Dockerfile.repro -t lingo-repro:20.12.2 .
+
+      - name: Prepare pnpm store path
+        run: echo "REPRO_PNPM_STORE=${{ runner.temp }}/pnpm-store" >> $GITHUB_ENV
+
+      - name: Cache pnpm store
+        uses: actions/cache@v3
+        with:
+          path: ${{ env.REPRO_PNPM_STORE }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Mark repo as safe for git inside container
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh git config --global --add safe.directory /workspace
+
+      - name: Install deps (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm install --frozen-lockfile
+
+      - name: Require changeset to be present in PR (container)
+        if: github.event.pull_request.user.login != 'dependabot[bot]'
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm changeset status --since origin/main
diff --git a/.github/workflows/lingodotdev.yml b/.github/workflows/lingodotdev.yml
@@ -45,21 +45,31 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Use Node.js
-        uses: actions/setup-node@v2
-        with:
-          node-version: "20"
+      - name: Build hermetic image
+        run: docker build -f Dockerfile.repro -t lingo-repro:20.12.2 .
+
+      - name: Prepare pnpm store path
+        run: echo "REPRO_PNPM_STORE=${{ runner.temp }}/pnpm-store" >> $GITHUB_ENV
 
-      - name: Lingo.dev
-        uses: ./
+      - name: Cache pnpm store
+        uses: actions/cache@v3
         with:
-          api-key: ${{ secrets.LINGODOTDEV_API_KEY }}
-          version: ${{ inputs.version }}
-          pull-request: ${{ inputs['pull-request'] }}
-          commit-message: ${{ inputs['commit-message'] }}
-          pull-request-title: ${{ inputs['pull-request-title'] }}
-          working-directory: ${{ inputs['working-directory'] }}
-          process-own-commits: ${{ inputs['process-own-commits'] }}
-          parallel: ${{ inputs.parallel }}
+          path: ${{ env.REPRO_PNPM_STORE }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Lingo.dev (container)
         env:
           GH_TOKEN: ${{ github.token }}
+          LINGODOTDEV_API_KEY: ${{ secrets.LINGODOTDEV_API_KEY }}
+        run: |
+          REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh \
+            npx lingo.dev@${{ inputs.version }} ci \
+              --api-key "$LINGODOTDEV_API_KEY" \
+              --pull-request "${{ inputs['pull-request'] }}" \
+              --commit-message "${{ inputs['commit-message'] }}" \
+              --pull-request-title "${{ inputs['pull-request-title'] }}" \
+              --working-directory "${{ inputs['working-directory'] }}" \
+              --process-own-commits "${{ inputs['process-own-commits'] }}" \
+              --parallel ${{ inputs.parallel }}
diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -35,61 +35,55 @@ jobs:
             exit 0
           fi
 
-      - name: Use Node.js
-        uses: actions/setup-node@v2
-        with:
-          node-version: 20.12.2
+      - name: Build hermetic image
+        run: docker build -f Dockerfile.repro -t lingo-repro:20.12.2 .
 
-      - name: Install pnpm
-        uses: pnpm/action-setup@v4
-        id: pnpm-install
-        with:
-          version: 9.12.3
-          run_install: false
+      - name: Prepare pnpm store path
+        run: echo "REPRO_PNPM_STORE=${{ runner.temp }}/pnpm-store" >> $GITHUB_ENV
 
-      - name: Configure pnpm cache
-        id: pnpm-cache
-        run: echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT
-      - uses: actions/cache@v3
+      - name: Cache pnpm store
+        uses: actions/cache@v3
         with:
-          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
+          path: ${{ env.REPRO_PNPM_STORE }}
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
           restore-keys: |
             ${{ runner.os }}-pnpm-store-
 
-      - name: Install deps
-        run: pnpm install
+      - name: Install deps (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm install --frozen-lockfile
 
-      - name: Lingo.dev
+      - name: Lingo.dev (container)
         if: ${{ !inputs.skip_lingo }}
-        uses: ./
-        with:
-          api-key: ${{ secrets.LINGODOTDEV_API_KEY }}
-          pull-request: true
-          parallel: true
         env:
           GH_TOKEN: ${{ github.token }}
-
-      - name: Setup
+          LINGODOTDEV_API_KEY: ${{ secrets.LINGODOTDEV_API_KEY }}
         run: |
-          pnpm turbo telemetry disable
+          REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh \
+            npx lingo.dev@latest ci \
+              --api-key "$LINGODOTDEV_API_KEY" \
+              --pull-request "true" \
+              --commit-message "feat: update translations via @LingoDotDev" \
+              --pull-request-title "feat: update translations via @LingoDotDev" \
+              --working-directory "." \
+              --process-own-commits "false" \
+              --parallel true
 
-      - name: Configure Turbo cache
-        uses: dtinth/setup-github-actions-caching-for-turbo@v1
+      - name: Disable turbo telemetry (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm turbo telemetry disable
 
-      - name: Build
-        run: pnpm turbo build --force
+      - name: Build (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm turbo build --force
 
-      - name: Test
-        run: pnpm turbo test --force
+      - name: Test (container)
+        run: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm turbo test
 
       - name: Create Release Pull Request or Publish to npm
         id: changesets
         uses: changesets/action@v1
         with:
           title: "chore: bump package versions"
-          version: pnpm changeset version
-          publish: pnpm changeset publish
+          version: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm changeset version
+          publish: REPRO_PNPM_STORE="${{ env.REPRO_PNPM_STORE }}" bash scripts/repro/exec.sh pnpm changeset publish
           commit: "chore: bump package version"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.gitignore b/.gitignore
@@ -4,6 +4,7 @@
 node_modules
 .pnp
 .pnp.js
+.pnpm-store/
 
 # Local env files
 .env
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,6 +4,7 @@ @@
     node_modules
     .pnp
     .pnp.js
+    .pnpm-store/
     # Local env files
     .env
@@ Expand Down @@