chore: use pnpm setup runtime action

[marandaneto]

💡 Motivation and Context

Simplify CI setup by replacing the separate pnpm/action-setup + actions/setup-node + pnpm cache wiring with the new pinned pnpm/setup action, which installs pnpm and the Node.js runtime in one step.

This also adds/keeps package-manager release-age gates at a total of 7 days:

• npm .npmrc: min-release-age=7 because npm uses days.
• pnpm minimumReleaseAge: 10080 because pnpm uses minutes.

Note: pnpm/setup does not currently read .nvmrc, so Node 24 is duplicated in the action config for now where the repo also has .nvmrc. Once jasongin/nvs#315 lands, we can remove that duplicated runtime version and go back to a single .nvmrc source of truth.

💚 How did you test it?

• Parsed the changed GitHub Actions / pnpm YAML with PyYAML.
• Checked .npmrc files use npm's day-based min-release-age=7 and pnpm files use minute-based minimumReleaseAge: 10080.
• Ran git diff --check.

📝 Checklist

• I reviewed the submitted code.
• I added tests to verify the changes.
• I updated the docs if needed.
• No breaking change or entry added to the changelog.

If releasing new changes

• Ran pnpm changeset to generate a changeset file

🤖 Agent context

Autonomy: Human-driven (agent-assisted)

Updated the CI setup at the user's request after checking the new pnpm/setup action behavior. Chose install: false so existing explicit pnpm install --frozen-lockfile commands keep their current lockfile behavior, and pinned the action to the current v1 commit SHA.

[github-actions]

posthog-dotnet Compliance Report

Date: 2026-06-25 10:21:01 UTC
Duration: 652ms

⚠️ Some Tests Failed

2/16 tests passed, 14 failed

---

Feature_Flags Tests

⚠️ 2/16 tests passed, 14 failed

View Details

Test	Status	Duration
Request Payload.Request With Person Properties Device Id	❌	42ms
Request Payload.Flags Request Uses V2 Query Param	❌	21ms
Request Payload.Flags Request Hits Flags Path Not Decide	❌	5ms
Request Payload.Flags Request Omits Authorization Header	❌	5ms
Request Payload.Token In Flags Body Matches Init	❌	5ms
Request Payload.Groups Round Trip	❌	4ms
Request Payload.Groups Default To Empty Object	❌	4ms
Request Payload.Person Properties Distinct Id Auto Populated When Caller Omits It	❌	5ms
Request Payload.Disable Geoip False Propagates As Geoip Disable False	❌	5ms
Request Payload.Disable Geoip Omitted Defaults To False	❌	5ms
Request Payload.Flag Keys To Evaluate Contains Only Requested Key	❌	5ms
Request Lifecycle.No Flags Request On Init Alone	✅	3ms
Request Lifecycle.No Flags Request On Normal Capture	✅	180ms
Request Lifecycle.Two Flag Calls Produce Two Remote Requests	❌	6ms
Request Lifecycle.Mock Response Value Is Returned To Caller	❌	5ms
Side Effect Events.Get Feature Flag Captures Feature Flag Called Event	❌	5ms

Failures

request_payload.request_with_person_properties_device_id

404, message='Not Found', url='http://sdk-adapter:8080/get_feature_flag'

request_payload.flags_request_uses_v2_query_param

404, message='Not Found', url='http://sdk-adapter:8080/get_feature_flag'

request_payload.flags_request_hits_flags_path_not_decide

404, message='Not Found', url='http://sdk-adapter:8080/get_feature_flag'

request_payload.flags_request_omits_authorization_header

404, message='Not Found', url='http://sdk-adapter:8080/get_feature_flag'

request_payload.token_in_flags_body_matches_init

404, message='Not Found', url='http://sdk-adapter:8080/get_feature_flag'

request_payload.groups_round_trip

404, message='Not Found', url='http://sdk-adapter:8080/get_feature_flag'

request_payload.groups_default_to_empty_object

404, message='Not Found', url='http://sdk-adapter:8080/get_feature_flag'

request_payload.person_properties_distinct_id_auto_populated_when_caller_omits_it

404, message='Not Found', url='http://sdk-adapter:8080/get_feature_flag'

request_payload.disable_geoip_false_propagates_as_geoip_disable_false

404, message='Not Found', url='http://sdk-adapter:8080/get_feature_flag'

request_payload.disable_geoip_omitted_defaults_to_false

404, message='Not Found', url='http://sdk-adapter:8080/get_feature_flag'

request_payload.flag_keys_to_evaluate_contains_only_requested_key

404, message='Not Found', url='http://sdk-adapter:8080/get_feature_flag'

request_lifecycle.two_flag_calls_produce_two_remote_requests

404, message='Not Found', url='http://sdk-adapter:8080/get_feature_flag'

request_lifecycle.mock_response_value_is_returned_to_caller

404, message='Not Found', url='http://sdk-adapter:8080/get_feature_flag'

side_effect_events.get_feature_flag_captures_feature_flag_called_event

404, message='Not Found', url='http://sdk-adapter:8080/get_feature_flag'

[greptile-apps]

Security Review

• pnpm/setup@f7d0e5f4b1b3089d2799ef9722859e7ba314c4c8 is used in the release pipeline, but no public documentation for a pnpm/setup repository (distinct from the known pnpm/action-setup) was found. Using an unverified third-party action in a workflow that pushes packages to NuGet is a supply-chain risk; the SHA pin is the correct mitigation but the provenance of the action itself should be confirmed against the official pnpm GitHub organisation.
• The new .npmrc min-release-age=10080 is a positive supply-chain hardening measure with no security concerns.

_{Reviews (1): Last reviewed commit: "chore: use pnpm setup runtime action" | Re-trigger Greptile}

[greptile-apps]

_{Reviews (2): Last reviewed commit: "chore: use pnpm setup runtime action" | Re-trigger Greptile}

[greptile-apps]

_{Reviews (3): Last reviewed commit: "fix: use pnpm 11 package manager" | Re-trigger Greptile}