chore(deps): bump pnpm/action-setup from 4 to 5

[dependabot]

Bumps pnpm/action-setup from 4 to 5.

Release notes

Sourced from pnpm/action-setup's releases.

v5.0.0

Updated the action to use Node.js 24.

v4.4.0

Updated the action to use Node.js 24.

v4.3.0

What's Changed

• docs: fix the run_install example in the Readme by @​dreyks in pnpm/action-setup#175
• chore: remove unused @types/node-fetch dependency by @​silverwind in pnpm/action-setup#186
• Clarify that package_json_file is relative to GITHUB_WORKSPACE by @​chris-martin in pnpm/action-setup#184
• feat: store caching by @​jrmajor in pnpm/action-setup#188
• refactor: remove star imports by @​KSXGitHub in pnpm/action-setup#196
• fix(ci): exclude macos by @​KSXGitHub in pnpm/action-setup#197

New Contributors

• @​dreyks made their first contribution in pnpm/action-setup#175
• @​silverwind made their first contribution in pnpm/action-setup#186
• @​chris-martin made their first contribution in pnpm/action-setup#184
• @​jrmajor made their first contribution in pnpm/action-setup#188
• @​Boosted-Bonobo made their first contribution in pnpm/action-setup#199

Full Changelog: pnpm/action-setup@v4.2.0...v4.3.0

v4.2.0

When there's a .npmrc file at the root of the repository, pnpm will be fetched from the registry that is specified in that .npmrc file #179

v4.1.0

Add support for package.yaml #156.

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

[greptile-apps]

Greptile Summary

This is a routine Dependabot PR that bumps pnpm/action-setup from v4 to v5 across all 9 GitHub Actions workflow files. The underlying change in v5 is that the action now runs on Node.js 24. The actual SHA pinned (fc06bc1257f339d1d5d8b3a19a8cae5388b55320) correctly points to the v5.0.0 release.

• The bump is correctly applied across all workflow files.
• ci.yml correctly updates both the SHA and the inline comment to # v5.0.0.
• deploy-docs.yml correctly updates the floating tag from @v4 to @v5.
• 7 of the 9 files have their SHA updated to the v5 commit but retain a stale # v4 inline comment, which is misleading when auditing pinned action versions — though functionally harmless since the SHA is authoritative.

Confidence Score: 5/5

• Safe to merge — the SHA correctly resolves to v5.0.0 in all files; the stale # v4 comments are cosmetic only.
• The change is a single-line version bump in each workflow file, the SHA is verified correct (ci.yml explicitly annotates it as v5.0.0), and there are no logic or security concerns. The only issue is stale version comments in 7 files, which do not affect runtime behaviour.
• No files require special attention; the stale # v4 comments in bundle-analysis.yml, docs-check.yml, docs-seo-aeo.yml, prepare-release.yml, release-on-tag.yml, release.yml, and stable-release.yml are cosmetic.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Correctly updated SHA to v5 commit and comment updated to # v5.0.0.
.github/workflows/bundle-analysis.yml	SHA updated to v5 commit but inline comment still reads # v4 — misleading for future audits.
.github/workflows/deploy-docs.yml	Updated floating tag from @v4 to @v5 — clean and correct.
.github/workflows/docs-check.yml	SHA updated to v5 commit but inline comment still reads # v4.
.github/workflows/docs-seo-aeo.yml	SHA updated to v5 commit but inline comment still reads # v4.
.github/workflows/prepare-release.yml	SHA updated to v5 commit but inline comment still reads # v4.
.github/workflows/release-on-tag.yml	SHA updated to v5 commit but inline comment still reads # v4.
.github/workflows/release.yml	Both Setup pnpm steps updated to v5 SHA but both inline comments still read # v4.
.github/workflows/stable-release.yml	SHA updated to v5 commit but inline comment still reads # v4.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["pnpm/action-setup@v4\n(SHA: 41ff726...)"] -->|bumped to| B["pnpm/action-setup@v5\n(SHA: fc06bc1...)"]
    B --> C{Comment updated?}
    C -->|Yes| D["ci.yml → # v5.0.0\ndeploy-docs.yml → @v5 tag"]
    C -->|No — stale # v4| E["bundle-analysis.yml\ndocs-check.yml\ndocs-seo-aeo.yml\nprepare-release.yml\nrelease-on-tag.yml\nrelease.yml ×2\nstable-release.yml"]
    E -.->|SHA still correct| F["✅ Functionally safe"]
    D --> F

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: .github/workflows/bundle-analysis.yml
Line: 31

Comment:
**Stale version comments after bump to v5**

The SHA `fc06bc1257f339d1d5d8b3a19a8cae5388b55320` correctly points to `pnpm/action-setup` v5.0.0 (confirmed by `ci.yml` which correctly annotates it as `# v5.0.0`), but the inline comment here still reads `# v4`. This will mislead anyone auditing pinned action versions.

The same stale `# v4` comment appears in:
- `.github/workflows/bundle-analysis.yml:31`
- `.github/workflows/docs-check.yml:65`
- `.github/workflows/docs-seo-aeo.yml` (Setup pnpm step)
- `.github/workflows/prepare-release.yml` (Setup pnpm step)
- `.github/workflows/release-on-tag.yml` (Setup pnpm step)
- `.github/workflows/release.yml` (both Setup pnpm steps)
- `.github/workflows/stable-release.yml` (Setup pnpm step)

Only `ci.yml` (updated to `# v5.0.0`) and `deploy-docs.yml` (uses the floating `@v5` tag) are correct.

```suggestion
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
```

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "chore(deps): bump pnpm/action-setup from..." | Re-trigger Greptile}

[greptile-apps]

Stale version comments after bump to v5

The SHA fc06bc1257f339d1d5d8b3a19a8cae5388b55320 correctly points to pnpm/action-setup v5.0.0 (confirmed by ci.yml which correctly annotates it as # v5.0.0), but the inline comment here still reads # v4. This will mislead anyone auditing pinned action versions.

The same stale # v4 comment appears in:

• .github/workflows/bundle-analysis.yml:31
• .github/workflows/docs-check.yml:65
• .github/workflows/docs-seo-aeo.yml (Setup pnpm step)
• .github/workflows/prepare-release.yml (Setup pnpm step)
• .github/workflows/release-on-tag.yml (Setup pnpm step)
• .github/workflows/release.yml (both Setup pnpm steps)
• .github/workflows/stable-release.yml (Setup pnpm step)

Only ci.yml (updated to # v5.0.0) and deploy-docs.yml (uses the floating @v5 tag) are correct.

Suggested change

	uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
	uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/bundle-analysis.yml
Line: 31

Comment:
**Stale version comments after bump to v5**

The SHA `fc06bc1257f339d1d5d8b3a19a8cae5388b55320` correctly points to `pnpm/action-setup` v5.0.0 (confirmed by `ci.yml` which correctly annotates it as `# v5.0.0`), but the inline comment here still reads `# v4`. This will mislead anyone auditing pinned action versions.

The same stale `# v4` comment appears in:
- `.github/workflows/bundle-analysis.yml:31`
- `.github/workflows/docs-check.yml:65`
- `.github/workflows/docs-seo-aeo.yml` (Setup pnpm step)
- `.github/workflows/prepare-release.yml` (Setup pnpm step)
- `.github/workflows/release-on-tag.yml` (Setup pnpm step)
- `.github/workflows/release.yml` (both Setup pnpm steps)
- `.github/workflows/stable-release.yml` (Setup pnpm step)

Only `ci.yml` (updated to `# v5.0.0`) and `deploy-docs.yml` (uses the floating `@v5` tag) are correct.

```suggestion
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
```

How can I resolve this? If you propose a fix, please make it concise.

[claude]

LGTM — the SHA correctly points to pnpm/action-setup v5.0.0; the inline comments flag the stale # v4 annotations and the pre-existing mutable-tag issue in deploy-docs.yml.

Extended reasoning...

Overview

This Dependabot PR updates pnpm/action-setup from v4 to v5 across 9 workflow files by replacing the old SHA with the new SHA for v5.0.0. The change is purely mechanical — no logic, permissions, or workflow structure is altered.

Security risks

The SHA swap is the correct supply-chain-safe mechanism; the new SHA is the immutable v5.0.0 commit. The pre-existing mutable-tag usage in deploy-docs.yml (flagged by the inline comment) was already present before this PR and is a separate concern. No new security regressions are introduced.

Level of scrutiny

Low. This is a routine Dependabot version bump following the repo's established SHA-pinning pattern. The diff is uniform and easy to verify: every touched line swaps the same old SHA for the same new SHA.

Other factors

The two findings from the bug hunter are (1) a pre-existing issue in deploy-docs.yml that predates this PR, and (2) a cosmetic nit where 8 of 9 files have the correct new SHA but retain the old # v4 comment instead of # v5.0.0. Neither affects correctness or security of the SHA-pinned workflows. The inline comments surface these for the author to address if desired.

[claude]

🟡 The SHA fc06bc1257f339d1d5d8b3a19a8cae5388b55320 corresponds to pnpm/action-setup v5.0.0, but 8 of 9 updated workflow files still carry the old # v4 comment instead of # v5.0.0. Update the comments in bundle-analysis.yml, docs-check.yml, docs-seo-aeo.yml, prepare-release.yml, release-on-tag.yml, release.yml (two instances), and stable-release.yml to read # v5.0.0.

Extended reasoning...

What the bug is

When pinning GitHub Actions by SHA, the version comment alongside the SHA is the only human-readable indicator of which version is actually in use. This PR bumps pnpm/action-setup from v4 to v5 across 9 workflow files. The SHA fc06bc1257f339d1d5d8b3a19a8cae5388b55320 is the v5.0.0 release commit.

The specific discrepancy

In ci.yml, the comment was correctly updated to # v5.0.0 alongside the new SHA. But in 8 other files, the same new SHA was used while the comment was left unchanged as # v4. Affected files: bundle-analysis.yml, docs-check.yml, docs-seo-aeo.yml, prepare-release.yml, release-on-tag.yml, release.yml (two instances), and stable-release.yml.

Why existing checks do not catch it

GitHub Actions resolves the action by SHA, not by the comment, so CI passes without error. There is no automated check that validates consistency between a pinned SHA and its version comment. The mismatch is purely a human-readable documentation issue.

Impact

Any maintainer auditing dependencies — reviewing Dependabot PRs, checking for version drift, or assessing supply-chain risk — will see # v4 and believe these jobs are still using v4, even though they are actually running v5. This defeats the entire purpose of annotating pinned SHAs with version comments: traceability and auditability are undermined.

Step-by-step proof

1. The PR title is "chore(deps): bump pnpm/action-setup from 4 to 5".
2. In the ci.yml diff: old SHA 41ff72655975bd51cab0327fa583b6e92b6d3061 with comment # v4.2.0 was replaced with SHA fc06bc1257f339d1d5d8b3a19a8cae5388b55320 and comment # v5.0.0. This confirms the new SHA equals v5.0.0.
3. In the bundle-analysis.yml diff: old SHA 41ff72655975bd51cab0327fa583b6e92b6d3061 # v4 was replaced with fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4 — same new SHA, but comment not updated.
4. A developer reading bundle-analysis.yml would conclude v4 is in use, which is incorrect.

Fix

Change the # v4 comment on all 9 affected lines across the 8 files to # v5.0.0 to match the annotation already present in ci.yml.

[claude]

🟣 This is a pre-existing issue: deploy-docs.yml uses mutable version tags for all its actions (including pnpm/action-setup@v5 on line 27), while every other workflow in the repository pins actions to full 40-character commit SHAs. This PR changed @v4 to @v5 on this line but missed the opportunity to align it with the SHA-pinning pattern used across all other workflows. The fix would be to replace pnpm/action-setup@v5 with pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0.

Extended reasoning...

Background

All 8 other workflow files in this repository pin GitHub Actions to full 40-character commit SHAs with a version comment (e.g. pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0). This is a supply-chain security best practice: a pinned SHA is immutable and cannot be force-pushed, so the exact code that runs is guaranteed to match what was reviewed.

What the bug is

deploy-docs.yml diverges from this repo-wide convention. Every action reference in that file uses a mutable version tag instead of a SHA:

• actions/checkout@v6
• pnpm/action-setup@v5 (the line touched by this PR)
• actions/setup-node@v6
• cloudflare/wrangler-action@v3
• actions/github-script@v8

A mutable tag can be force-pushed by anyone with push access to the upstream action repo. If pnpm/action-setup or any of those action repos were compromised, an attacker could silently redirect the tag to malicious code and the workflow would execute it without any change visible in this repository.

Why this is pre-existing

This pattern predates the current PR: before this PR, deploy-docs.yml already used pnpm/action-setup@v4 (a mutable tag). The other actions in the file (checkout@v6, setup-node@v6, etc.) were also already using mutable tags. The PR did not introduce the mutable-tag pattern — it existed before.

Why the PR is the right place to flag it

The PR directly touches line 27 of deploy-docs.yml, changing @v4 to @v5. In the same commit, every other workflow was updated to use the pinned SHA fc06bc1257f339d1d5d8b3a19a8cae5388b55320. The PR author or reviewer had an explicit opportunity to apply the same pattern to deploy-docs.yml but did not.

Concrete proof

Step-by-step inconsistency:

1. ci.yml line 27 (this PR): pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 ✓ pinned
2. release.yml line 32 (this PR): pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4 ✓ pinned
3. deploy-docs.yml line 27 (this PR): pnpm/action-setup@v5 ✗ mutable tag

If someone force-pushes the v5 tag on the pnpm/action-setup repo to a malicious commit, the next deploy-docs.yml run would silently execute that malicious code with write access to contents and deployments.

How to fix

Replace:

uses: pnpm/action-setup@v5

with:

uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

Ideally, the other mutable-tag references in the file (checkout@v6, setup-node@v6, wrangler-action@v3, github-script@v8) should also be pinned to SHAs in a follow-up.