Skip to content

chore(deps): bump pnpm/action-setup from 4 to 5 #311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump pnpm/action-setup from 4 to 5 #311

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/bundle-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
path: base

- name: Setup pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Stale version comments after bump to v5

The SHA fc06bc1257f339d1d5d8b3a19a8cae5388b55320 correctly points to pnpm/action-setup v5.0.0 (confirmed by ci.yml which correctly annotates it as # v5.0.0), but the inline comment here still reads # v4. This will mislead anyone auditing pinned action versions.

The same stale # v4 comment appears in:

  • .github/workflows/bundle-analysis.yml:31
  • .github/workflows/docs-check.yml:65
  • .github/workflows/docs-seo-aeo.yml (Setup pnpm step)
  • .github/workflows/prepare-release.yml (Setup pnpm step)
  • .github/workflows/release-on-tag.yml (Setup pnpm step)
  • .github/workflows/release.yml (both Setup pnpm steps)
  • .github/workflows/stable-release.yml (Setup pnpm step)

Only ci.yml (updated to # v5.0.0) and deploy-docs.yml (uses the floating @v5 tag) are correct.

Suggested change
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
Prompt To Fix With AI 
This is a comment left during a code review.
Path: .github/workflows/bundle-analysis.yml
Line: 31

Comment:
**Stale version comments after bump to v5**

The SHA `fc06bc1257f339d1d5d8b3a19a8cae5388b55320` correctly points to `pnpm/action-setup` v5.0.0 (confirmed by `ci.yml` which correctly annotates it as `# v5.0.0`), but the inline comment here still reads `# v4`. This will mislead anyone auditing pinned action versions.

The same stale `# v4` comment appears in:
- `.github/workflows/bundle-analysis.yml:31`
- `.github/workflows/docs-check.yml:65`
- `.github/workflows/docs-seo-aeo.yml` (Setup pnpm step)
- `.github/workflows/prepare-release.yml` (Setup pnpm step)
- `.github/workflows/release-on-tag.yml` (Setup pnpm step)
- `.github/workflows/release.yml` (both Setup pnpm steps)
- `.github/workflows/stable-release.yml` (Setup pnpm step)

Only `ci.yml` (updated to `# v5.0.0`) and `deploy-docs.yml` (uses the floating `@v5` tag) are correct.

```suggestion
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
```

How can I resolve this? If you propose a fix, please make it concise.

Copy link
Copy Markdown

@claude claude bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 The SHA fc06bc1257f339d1d5d8b3a19a8cae5388b55320 corresponds to pnpm/action-setup v5.0.0, but 8 of 9 updated workflow files still carry the old # v4 comment instead of # v5.0.0. Update the comments in bundle-analysis.yml, docs-check.yml, docs-seo-aeo.yml, prepare-release.yml, release-on-tag.yml, release.yml (two instances), and stable-release.yml to read # v5.0.0.

Extended reasoning...

What the bug is

When pinning GitHub Actions by SHA, the version comment alongside the SHA is the only human-readable indicator of which version is actually in use. This PR bumps pnpm/action-setup from v4 to v5 across 9 workflow files. The SHA fc06bc1257f339d1d5d8b3a19a8cae5388b55320 is the v5.0.0 release commit.

The specific discrepancy

In ci.yml, the comment was correctly updated to # v5.0.0 alongside the new SHA. But in 8 other files, the same new SHA was used while the comment was left unchanged as # v4. Affected files: bundle-analysis.yml, docs-check.yml, docs-seo-aeo.yml, prepare-release.yml, release-on-tag.yml, release.yml (two instances), and stable-release.yml.

Why existing checks do not catch it

GitHub Actions resolves the action by SHA, not by the comment, so CI passes without error. There is no automated check that validates consistency between a pinned SHA and its version comment. The mismatch is purely a human-readable documentation issue.

Impact

Any maintainer auditing dependencies — reviewing Dependabot PRs, checking for version drift, or assessing supply-chain risk — will see # v4 and believe these jobs are still using v4, even though they are actually running v5. This defeats the entire purpose of annotating pinned SHAs with version comments: traceability and auditability are undermined.

Step-by-step proof

  1. The PR title is "chore(deps): bump pnpm/action-setup from 4 to 5".
  2. In the ci.yml diff: old SHA 41ff72655975bd51cab0327fa583b6e92b6d3061 with comment # v4.2.0 was replaced with SHA fc06bc1257f339d1d5d8b3a19a8cae5388b55320 and comment # v5.0.0. This confirms the new SHA equals v5.0.0.
  3. In the bundle-analysis.yml diff: old SHA 41ff72655975bd51cab0327fa583b6e92b6d3061 # v4 was replaced with fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4 — same new SHA, but comment not updated.
  4. A developer reading bundle-analysis.yml would conclude v4 is in use, which is incorrect.

Fix

Change the # v4 comment on all 9 affected lines across the 8 files to # v5.0.0 to match the annotation already present in ci.yml.


- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Setup pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/deploy-docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
uses: actions/checkout@v6

- name: Setup pnpm
uses: pnpm/action-setup@v4
uses: pnpm/action-setup@v5
Copy link
Copy Markdown

@claude claude bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟣 This is a pre-existing issue: deploy-docs.yml uses mutable version tags for all its actions (including pnpm/action-setup@v5 on line 27), while every other workflow in the repository pins actions to full 40-character commit SHAs. This PR changed @v4 to @v5 on this line but missed the opportunity to align it with the SHA-pinning pattern used across all other workflows. The fix would be to replace pnpm/action-setup@v5 with pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0.

Extended reasoning...

Background

All 8 other workflow files in this repository pin GitHub Actions to full 40-character commit SHAs with a version comment (e.g. pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0). This is a supply-chain security best practice: a pinned SHA is immutable and cannot be force-pushed, so the exact code that runs is guaranteed to match what was reviewed.

What the bug is

deploy-docs.yml diverges from this repo-wide convention. Every action reference in that file uses a mutable version tag instead of a SHA:

  • actions/checkout@v6
  • pnpm/action-setup@v5 (the line touched by this PR)
  • actions/setup-node@v6
  • cloudflare/wrangler-action@v3
  • actions/github-script@v8

A mutable tag can be force-pushed by anyone with push access to the upstream action repo. If pnpm/action-setup or any of those action repos were compromised, an attacker could silently redirect the tag to malicious code and the workflow would execute it without any change visible in this repository.

Why this is pre-existing

This pattern predates the current PR: before this PR, deploy-docs.yml already used pnpm/action-setup@v4 (a mutable tag). The other actions in the file (checkout@v6, setup-node@v6, etc.) were also already using mutable tags. The PR did not introduce the mutable-tag pattern — it existed before.

Why the PR is the right place to flag it

The PR directly touches line 27 of deploy-docs.yml, changing @v4 to @v5. In the same commit, every other workflow was updated to use the pinned SHA fc06bc1257f339d1d5d8b3a19a8cae5388b55320. The PR author or reviewer had an explicit opportunity to apply the same pattern to deploy-docs.yml but did not.

Concrete proof

Step-by-step inconsistency:

  1. ci.yml line 27 (this PR): pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 ✓ pinned
  2. release.yml line 32 (this PR): pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4 ✓ pinned
  3. deploy-docs.yml line 27 (this PR): pnpm/action-setup@v5 ✗ mutable tag

If someone force-pushes the v5 tag on the pnpm/action-setup repo to a malicious commit, the next deploy-docs.yml run would silently execute that malicious code with write access to contents and deployments.

How to fix

Replace:

uses: pnpm/action-setup@v5

with:

uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

Ideally, the other mutable-tag references in the file (checkout@v6, setup-node@v6, wrangler-action@v3, github-script@v8) should also be pinned to SHAs in a follow-up.


- name: Setup Node.js
uses: actions/setup-node@v6
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/docs-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ jobs:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Setup pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/docs-seo-aeo.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Setup pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/prepare-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
fetch-depth: 0

- name: Setup pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-on-tag.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
fetch-depth: 0

- name: Setup pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
fetch-depth: 0

- name: Setup pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down Expand Up @@ -133,7 +133,7 @@ jobs:
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Setup pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/stable-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
fetch-depth: 0

- name: Setup pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down
Loading