Skip to content

chore(ci): bump pnpm/action-setup from 4.3.0 to 6.0.9#408

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/pnpm/action-setup-6.0.9
Open

chore(ci): bump pnpm/action-setup from 4.3.0 to 6.0.9#408
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/pnpm/action-setup-6.0.9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 16, 2026
edited
Loading

Copy link
Copy Markdown

Bumps pnpm/action-setup from 4.3.0 to 6.0.9.

Release notes

Sourced from pnpm/action-setup's releases.

v6.0.9

What's Changed

Full Changelog: pnpm/action-setup@v6...v6.0.9

v6.0.8

What's Changed

New Contributors

Full Changelog: pnpm/action-setup@v6.0.7...v6.0.8

v6.0.7

What's Changed

New Contributors

Full Changelog: pnpm/action-setup@v6.0.6...v6.0.7

v6.0.6

What's Changed

Full Changelog: pnpm/action-setup@v6.0.5...v6.0.6

v6.0.5

What's Changed

Full Changelog: pnpm/action-setup@v6.0.4...v6.0.5

v6.0.4

What's Changed

New Contributors

... (truncated)

Commits
  • 0ebf471 fix: update pnpm to v11.7.0 (#267)
  • 0e279bb fix: update pnpm to 11.1.1 (#248)
  • 3e83581 fix: drop patchPnpmEnv so standalone+self-update works on Windows (#258)
  • 551b42e docs(README): fix cache_dependency_path type (#257)
  • 739bfe4 fix: self-update bootstrap to packageManager-pinned version (#233) (#256)
  • f61705d chore: add CODEOWNERS
  • 7a5507b fix: restore inputs from state in post (#255)
  • 1155470 fix: honor devEngines.packageManager.onFail=error (#252) (#254)
  • 91ab88e fix: bin_dest output points to self-updated pnpm, not bootstrap (#249)
  • e578e19 fix: update pnpm to 11.0.4
  • Additional commits viewable in compare view

@dependabot @github

dependabot Bot commented on behalf of github Jun 16, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from a team as a code owner June 16, 2026 05:44
@github-actions github-actions Bot added the size/XS PR size: XS label Jun 16, 2026
@lml2468

lml2468 commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

@dependabot rebase

Rebasing to pick up the current CI (a fresh Build + code-review run). With the review gate now at 1 approval, these CI-action bumps can merge once checks are green. — automated PR-review cadence (OCT-13)

@dependabot
chore(ci): bump pnpm/action-setup from 4.3.0 to 6.0.9
ce43a2d 
Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 4.3.0 to 6.0.9.
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](pnpm/action-setup@b906aff...0ebf471)

---
updated-dependencies:
- dependency-name: pnpm/action-setup
  dependency-version: 6.0.9
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/pnpm/action-setup-6.0.9 branch from e892c60 to ce43a2d Compare June 17, 2026 16:19
This was referenced Jun 27, 2026
Open
Open
@lml2468 lml2468 added review:running:qa qa-engineer review in progress review:running:security security-engineer review in progress review:running:code code-reviewer review in progress labels Jun 27, 2026
lml2468
lml2468 approved these changes Jun 27, 2026
View reviewed changes

@lml2468 lml2468 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

qa-engineer verdict: PASS

Scope: 1-line bump of pnpm/action-setup v4.3.0 → v6.0.9 in .github/workflows/ci.yml. SHA-pinned (0ebf47130e...) with matching version comment.

Verify evidence (CI snapshot):

  • CI / Build SUCCESS — pnpm install + build executes on the new action
  • Detect changed paths SUCCESS
  • label / PR size and detect dependency changes SUCCESS
  • pr-title-lint, sanity/actionlint, sanity/No tabs in workflow files SUCCESS — workflow file is syntactically clean
  • history / Common ancestor check SUCCESS
  • check-sprint / check-sprint FAILURE — orthogonal sprint-label workflow, unrelated to this dependency bump

Coverage:

  • No new code paths to test; the Build job is the self-test for this change and is green.
  • No regression risk for existing test suites: only the action version reference changed.
  • Edge: action major version v4→v6 jumps two majors; the Build job exercising real pnpm install on the new action is sufficient verification — release notes only document internal pnpm bootstrap fixes and Windows compatibility (no API surface change consumed here).

Flaky risk: low — run_install: false keeps the action's behaviour minimal.

Conclusion: tests cover the change adequately. Approving.

@lml2468 lml2468 added review:done:qa:approve qa-engineer PASS and removed review:running:qa qa-engineer review in progress labels Jun 27, 2026
lml2468
lml2468 approved these changes Jun 27, 2026
View reviewed changes

@lml2468 lml2468 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-engineer verdict: CLEARED

Threat model (CI dependency):

  • Supply chain (T1): action is pinned by commit SHA 0ebf47130e4866e96fce0953f49152a61190b271 (not floating tag) — mitigates tag-rewrite / hijacked-release attacks. ✅
  • Privilege escalation (T2): action runs in Build job context only; no new secrets, no pull_request_target, no permissions: change. ✅
  • Code execution (T3): action only bootstraps pnpm; called with run_install: false, so no auto-install of arbitrary package scripts at setup time. ✅

SBOM / vuln scans (CI snapshot):

  • OSV-Scanner / scan-pr SUCCESS — no known CVEs in pnpm/action-setup@6.0.9
  • dependency-review / Dependency Review SUCCESS — GitHub's advisory DB clean
  • secret-scan / Secret Scan (gitleaks) SUCCESS

Release notes audit (v4.3.0 → v6.0.9):

  • v5.x: dropped Node 16 runtime, default Node 20 — aligned with actions/setup-node@v4 already in this workflow.
  • v6.x: bundled pnpm bumped to v11.7.0; devEngines.packageManager.onFail=error honoured; standalone+self-update fixes. No new secret reads, no new network calls beyond pnpm bootstrap.
  • No CVE advisories filed against any v4..v6 release of pnpm/action-setup at time of review.

STRIDE residual risk: low. Standard transitive trust on upstream maintainers (zkochan et al), unchanged from current pin.

Conclusion: cleared.

@lml2468 lml2468 added review:done:security:approve security-engineer CLEARED and removed review:running:security security-engineer review in progress labels Jun 27, 2026
lml2468
lml2468 approved these changes Jun 27, 2026
View reviewed changes

@lml2468 lml2468 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code-reviewer verdict: APPROVED

Diff: 1 line changed in .github/workflows/ci.yml:

-      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
+      - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9

Correctness:

  • SHA matches pnpm/action-setup tag v6.0.9 (verified against upstream commit 0ebf471).
  • Trailing # v6.0.9 comment kept consistent with project convention (other uses: entries in the file follow the same SHA+comment pattern, e.g. actions/checkout@34e1148 # v4, actions/setup-node@49933ea # v4).
  • with: { run_install: false } block unchanged — call site contract is unaffected by the action version bump.

Design fit:

  • Major-version jump (v4 → v6) is the only point worth flagging. Upstream breaking changes between v4 and v6:
    • v5: minimum Node 20 — already satisfied (this workflow uses actions/setup-node@v4).
    • v6: bundled pnpm 11.x — repo's packageManager field in package.json will be respected by the action, so no behaviour change for this CI.
      No code-level adjustments required in this repo.

Maintainability / readability: trivial diff, no churn.

Nits: none worth blocking.

Conclusion: approving.

@lml2468 lml2468 added review:done:code:approve code-reviewer APPROVED and removed review:running:code code-reviewer review in progress labels Jun 27, 2026
@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Aggregate Verdict: APPROVED — awaiting human merge

3 reviewer verdicts collected, all green:

role verdict label
qa-engineer PASS review:done:qa:approve
security-engineer CLEARED review:done:security:approve
code-reviewer APPROVED review:done:code:approve

Summary of evidence:

  • 1-line bump of pnpm/action-setup v4.3.0 → v6.0.9, SHA-pinned with matching tag comment.
  • CI Build job green on the new action (re-exercises real pnpm install).
  • Supply-chain: SHA pin holds; OSV-Scanner, dependency-review, secret-scan all SUCCESS.
  • Code-review: diff is trivial; v5/v6 breaking changes (Node 20 minimum, pnpm 11.x bundle) are already compatible with this repo.

Residual non-blocking notes:

  • check-sprint / check-sprint is FAILURE but orthogonal to this dependency bump (sprint-label workflow, unrelated to the change).

Next step: human merge. Per loop policy, this autopilot will not call gh pr merge.

@lml2468 lml2468 added the review:complete 3 verdicts aggregated, awaiting human merge label Jun 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lml2468 lml2468 lml2468 approved these changes

Assignees

No one assigned

Labels

review:complete 3 verdicts aggregated, awaiting human merge review:done:code:approve code-reviewer APPROVED review:done:qa:approve qa-engineer PASS review:done:security:approve security-engineer CLEARED size/XS PR size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lml2468