Skip to content

chore(deps): bump pnpm/action-setup from 5.0.0 to 6.0.0 #326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dependabot wants to merge 1 commit into from
Closed

chore(deps): bump pnpm/action-setup from 5.0.0 to 6.0.0 #326

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/bundle-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
path: base

- name: Setup pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v4

Check warning on line 31 in .github/workflows/bundle-analysis.yml

View check run for this annotation

Claude / Claude Code Review

Stale version comments: hash points to v6.0.0 but comments still say # v4 

Eight workflow files have their pnpm/action-setup hash updated to the v6.0.0 release commit (08c4be7e), but the inline version comments still read `# v4` instead of `# v6.0.0`. The comments should be updated to `# v6.0.0` in: bundle-analysis.yml, docs-check.yml, docs-seo-aeo.yml, prepare-release.yml, release-on-tag.yml, release.yml (2 places), and stable-release.yml.
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Stale version comment after bump

The SHA now points to v6.0.0 but the inline comment still reads # v4. The same pattern appears in docs-check.yml, docs-seo-aeo.yml, prepare-release.yml, release-on-tag.yml, release.yml (both jobs), and stable-release.yml. Only ci.yml was updated correctly. Consider updating the comments to # v6.0.0 across all affected files for consistency with ci.yml.

Suggested change
uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v4
uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v6.0.0
Prompt To Fix With AI 
This is a comment left during a code review.
Path: .github/workflows/bundle-analysis.yml
Line: 31

Comment:
**Stale version comment after bump**

The SHA now points to v6.0.0 but the inline comment still reads `# v4`. The same pattern appears in `docs-check.yml`, `docs-seo-aeo.yml`, `prepare-release.yml`, `release-on-tag.yml`, `release.yml` (both jobs), and `stable-release.yml`. Only `ci.yml` was updated correctly. Consider updating the comments to `# v6.0.0` across all affected files for consistency with `ci.yml`.

```suggestion
        uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v6.0.0
```

How can I resolve this? If you propose a fix, please make it concise.

Copy link
Copy Markdown

@claude claude Bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Eight workflow files have their pnpm/action-setup hash updated to the v6.0.0 release commit (08c4be7e), but the inline version comments still read # v4 instead of # v6.0.0. The comments should be updated to # v6.0.0 in: bundle-analysis.yml, docs-check.yml, docs-seo-aeo.yml, prepare-release.yml, release-on-tag.yml, release.yml (2 places), and stable-release.yml.

Extended reasoning...

What the bug is and how it manifests

This PR bumps pnpm/action-setup from v5.0.0 to v6.0.0 by updating the pinned commit hash to 08c4be7e2e672a47d11bd04269e27e5f3e8529cb. The convention in this repo is to pin actions by full commit SHA for security, with an inline comment documenting the human-readable version tag (e.g., # v6.0.0). The PR correctly updated the hash in all 9 workflow files, but only updated the version comment in one of them (ci.yml). The remaining 8 files now have a mismatch between the actual version being executed (v6.0.0) and what the comment says (v4).

The specific code path that triggers it

In ci.yml, the line was changed from:

uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

to:

uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v6.0.0

But in bundle-analysis.yml, docs-check.yml, docs-seo-aeo.yml, prepare-release.yml, release-on-tag.yml, release.yml (lines 32 and 136), and stable-release.yml, the same hash change was applied while retaining # v4 — which was already stale before this PR (those files were using the v5 hash fc06bc12 but commenting it as # v4).

Why existing code doesn't prevent it

There is no automated check that validates the consistency between the pinned commit hash and the version comment. The discrepancy is a purely human/tooling oversight — Dependabot updated the hashes but did not update the comments in the affected files.

What the impact would be

The workflows will function correctly because GitHub Actions resolves the commit SHA, not the comment. However, the comments exist specifically to aid human auditing: when a developer reviews these files to verify which version of a third-party action is being used, they will see # v4 and believe the workflow is running v4.x, when it is actually running v6.0.0. This is misleading for security audits and dependency tracking.

How to fix it

Update all 8 affected files, changing # v4 to # v6.0.0 on the pnpm/action-setup line. For example, in bundle-analysis.yml line 31:

uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v6.0.0

Step-by-step proof

  1. The PR title states this bumps pnpm/action-setup from 5.0.0 to 6.0.0.
  2. The PR description lists commit 08c4be7 as the v6.0.0 release commit.
  3. In the diff for ci.yml: old hash fc06bc12... # v5.0.0 → new hash 08c4be7e... # v6.0.0 ✓ (correct).
  4. In the diff for bundle-analysis.yml: old hash fc06bc12... # v4 → new hash 08c4be7e... # v4 ✗ (comment not updated).
  5. Steps 4 repeats for docs-check.yml, docs-seo-aeo.yml, prepare-release.yml, release-on-tag.yml, release.yml (twice), and stable-release.yml.
  6. A developer reading bundle-analysis.yml would see # v4 and incorrectly conclude the workflow uses pnpm/action-setup v4, when it actually uses v6.0.0.


- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Setup pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v6.0.0

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/deploy-docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@
uses: actions/checkout@v6

- name: Setup pnpm
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 No SHA pin on deploy-docs.yml

This workflow uses a mutable tag reference (@v6.0.0) while all other workflows in this PR use a full commit SHA. If the tag is ever force-pushed, this workflow would silently run a different version. Consider pinning to the same SHA used elsewhere (08c4be7e2e672a47d11bd04269e27e5f3e8529cb).

Suggested change
- name: Setup pnpm
uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v6.0.0
Prompt To Fix With AI 
This is a comment left during a code review.
Path: .github/workflows/deploy-docs.yml
Line: 26

Comment:
**No SHA pin on `deploy-docs.yml`**

This workflow uses a mutable tag reference (`@v6.0.0`) while all other workflows in this PR use a full commit SHA. If the tag is ever force-pushed, this workflow would silently run a different version. Consider pinning to the same SHA used elsewhere (`08c4be7e2e672a47d11bd04269e27e5f3e8529cb`).

```suggestion
        uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v6.0.0
```

How can I resolve this? If you propose a fix, please make it concise.

uses: pnpm/action-setup@v5
uses: pnpm/action-setup@v6.0.0

Check notice on line 28 in .github/workflows/deploy-docs.yml

View check run for this annotation

Claude / Claude Code Review

deploy-docs.yml uses mutable tag @v6.0.0 instead of pinned commit hash 

deploy-docs.yml uses pnpm/action-setup@v6.0.0 (a mutable tag) while all 8 other workflows updated in this PR use the pinned commit SHA 08c4be7e2e672a47d11bd04269e27e5f3e8529cb. This is a pre-existing issue — deploy-docs.yml was already using mutable tags for all its actions (checkout@v6, setup-node@v6, wrangler-action@v3, github-script@v8) before this PR — but since this PR touched this exact line, it was an opportunity to bring it in line with the pinned-hash approach used everywhere else. Cons
Copy link
Copy Markdown

@claude claude Bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟣 deploy-docs.yml uses pnpm/action-setup@v6.0.0 (a mutable tag) while all 8 other workflows updated in this PR use the pinned commit SHA 08c4be7e2e672a47d11bd04269e27e5f3e8529cb. This is a pre-existing issue — deploy-docs.yml was already using mutable tags for all its actions (checkout@v6, setup-node@v6, wrangler-action@v3, github-script@v8) before this PR — but since this PR touched this exact line, it was an opportunity to bring it in line with the pinned-hash approach used everywhere else. Consider updating to: uses: pnpm/action-setup@08c4be7 # v6.0.0

Extended reasoning...

What the bug is: deploy-docs.yml line 28 uses pnpm/action-setup@v6.0.0 — a mutable semver tag — while all 8 other workflow files updated in this same PR use the pinned commit hash 08c4be7e2e672a47d11bd04269e27e5f3e8529cb. A mutable tag means the tag can be force-pushed to point to different commit content at any time, so the action that actually runs can silently change without the workflow file changing.

The specific code path: In deploy-docs.yml, the "Setup pnpm" step resolves pnpm/action-setup@v6.0.0 at runtime. GitHub Actions resolves this to whatever commit the v6.0.0 tag points to at execution time. If the tag is moved (e.g., in response to a supply chain compromise), all future runs of this workflow will execute attacker-controlled code with the workflow's permissions (contents: read, deployments: write, pull-requests: write).

Why existing code doesn't prevent it: The other 8 workflows were correctly updated to use the immutable SHA 08c4be7e2e672a47d11bd04269e27e5f3e8529cb, which resolves to exactly one specific git object and can never be silently changed. deploy-docs.yml was not given the same treatment — it was only bumped from @v5 to @v6.0.0, both being mutable references. Furthermore, deploy-docs.yml uses mutable tags for all its other actions as well: checkout@v6, setup-node@v6, cloudflare/wrangler-action@v3, and github-script@v8.

Pre-existing nature: This is a pre-existing issue. The entire deploy-docs.yml file used mutable tags before this PR. The PR updated pnpm/action-setup from @v5 to @v6.0.0 but did not fix the underlying security posture, whereas the other 8 files were properly pinned.

Impact: The deploy-docs workflow has write access to deployments and pull-requests, making it a higher-value target. A compromised mutable action tag could exfiltrate secrets (CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID), post malicious PR comments, or manipulate Cloudflare Pages deployments.

How to fix: Replace the mutable tag with the pinned hash that is already used across all other workflows:

- name: Setup pnpm
  uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v6.0.0

Ideally, all other mutable action references in this file (checkout@v6, setup-node@v6, wrangler-action@v3, github-script@v8) should also be pinned to their respective commit SHAs.

Step-by-step proof:

  1. This PR updates deploy-docs.yml line 28 from pnpm/action-setup@v5 to pnpm/action-setup@v6.0.0
  2. The diff for ci.yml shows the correct pattern: pnpm/action-setup@08c4be7 # v6.0.0
  3. Same pinned SHA appears in bundle-analysis.yml, docs-check.yml, docs-seo-aeo.yml, prepare-release.yml, release-on-tag.yml, release.yml (×2), and stable-release.yml — 9 total pinned occurrences vs. 1 mutable reference remaining in deploy-docs.yml
  4. If an attacker forces the pnpm/action-setup v6.0.0 tag to point to malicious code, every subsequent deploy-docs.yml run would execute that code — while all 8 other workflows remain unaffected due to immutable SHA pinning

- name: Setup Node.js
uses: actions/setup-node@v6
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/docs-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ jobs:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Setup pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v4

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/docs-seo-aeo.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Setup pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v4

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/prepare-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
fetch-depth: 0

- name: Setup pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v4

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-on-tag.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
fetch-depth: 0

- name: Setup pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v4

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
fetch-depth: 0

- name: Setup pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v4

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down Expand Up @@ -133,7 +133,7 @@ jobs:
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Setup pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v4

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/stable-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
fetch-depth: 0

- name: Setup pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4
uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v4

- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
Expand Down
Loading