chore(deps): bump actions/setup-node from 4 to 6

[dependabot]

Bumps actions/setup-node from 4 to 6.

Release notes

Sourced from actions/setup-node's releases.

v6.0.0

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in actions/setup-node#1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #1362

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in actions/setup-node#1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in actions/setup-node#1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in actions/setup-node#1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in actions/setup-node#1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in actions/setup-node#1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in actions/setup-node#1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-node#1345

New Contributors

• @​priya-kinthali made their first contribution in actions/setup-node#1348
• @​salmanmkc made their first contribution in actions/setup-node#1325

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

... (truncated)

Commits

• 48b55a0 Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)
• ab72c7e Upgrade @​actions dependencies (#1525)
• 53b8394 Bump minimatch from 3.1.2 to 3.1.5 (#1498)
• 54045ab Scope test lockfiles by package manager and update cache tests (#1495)
• c882bff Replace uuid with crypto.randomUUID() (#1378)
• 774c1d6 feat(node-version-file): support parsing devEngines field (#1283)
• efcb663 fix: remove hardcoded bearer (#1467)
• d02c89d Fix npm audit issues (#1491)
• 6044e13 Docs: bump actions/checkout from v5 to v6 (#1468)
• 8e49463 Fix README typo (#1226)
• Additional commits viewable in compare view

Summary by CodeRabbit

• Chores
  • Updated CI infrastructure to use the latest Node.js setup tooling for improved compatibility and security in automated testing processes.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Free

Run ID: 7e5716ac-7c2c-40a9-bede-15958246fd46

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• ✅ Review completed - (🔄 Check again to review again)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 19: Replace the mutable tags for GitHub Actions with the specified commit
SHAs: change the uses: entries for actions/setup-node (currently
"actions/setup-node@v6") and actions/checkout (currently "actions/checkout@v4")
to their pinned SHAs
("actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e" and
"actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" respectively) so the
workflow references immutable commits instead of floating tags.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b15e4fb1-300e-4e84-b579-bbfc0cb423e1

📥 Commits

Reviewing files that changed from the base of the PR and between 2aa7757 and 556ea30.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh api repos/actions/setup-node/commits/v6 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 114

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/ci.yml"

echo "== File lines 1-60 =="
nl -ba "$FILE" | sed -n '1,60p'

echo
echo "== All uses: lines in workflow =="
rg -n "^\s*uses:\s*" "$FILE" || true

Repository: SingularityAI-Dev/covenant-md

Length of output: 156

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/ci.yml"

echo "== File lines 1-80 (numbered) =="
awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,80p'

echo
echo "== All uses: lines in workflow =="
rg -n "^[[:space:]]*uses:[[:space:]]*" "$FILE" || true

Repository: SingularityAI-Dev/covenant-md

Length of output: 888

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh api repos/actions/checkout/commits/v4 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 114

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh api repos/actions/setup-node/commits/v6 --jq '.sha'
gh api repos/actions/checkout/commits/v4 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 155

---

🏁 Script executed:

gh api repos/actions/setup-node/commits/v6 --jq '.sha'
gh api repos/actions/checkout/commits/v4 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 155

---

🏁 Script executed:

gh api repos/actions/setup-node/commits/v6 --jq '.sha'
gh api repos/actions/checkout/commits/v4 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 155

---

🏁 Script executed:

gh api repos/actions/setup-node/commits/v6 --jq '.sha'
gh api repos/actions/checkout/commits/v4 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 155

---

🏁 Script executed:

gh api repos/actions/setup-node/commits/v6 --jq '.sha'
gh api repos/actions/checkout/commits/v4 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 155

---

🏁 Script executed:

gh api repos/actions/setup-node/commits/v6 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 114

---

🏁 Script executed:

gh api repos/actions/setup-node/commits/v6 --jq '.sha'
gh api repos/actions/checkout/commits/v4 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 155

---

Pin actions/setup-node (and actions/checkout) to commit SHAs in .github/workflows/ci.yml.

@v6 / @v4 are mutable tags; pin to actions/setup-node 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e and actions/checkout 34e114876b0b11c390a56381ad16ebd13914f8d5.

Suggested change

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
           cache-dependency-path: package-lock.json

🧰 Tools

🪛 zizmor (1.25.2)

[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 19, Replace the mutable tags for GitHub
Actions with the specified commit SHAs: change the uses: entries for
actions/setup-node (currently "actions/setup-node@v6") and actions/checkout
(currently "actions/checkout@v4") to their pinned SHAs
("actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e" and
"actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" respectively) so the
workflow references immutable commits instead of floating tags.