Skip to content

chore(deps): bump actions/setup-node from 4 to 6 #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump actions/setup-node from 4 to 6 #1

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
uses: actions/setup-node@v6
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh api repos/actions/setup-node/commits/v6 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 114

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/ci.yml"

echo "== File lines 1-60 =="
nl -ba "$FILE" | sed -n '1,60p'

echo
echo "== All uses: lines in workflow =="
rg -n "^\s*uses:\s*" "$FILE" || true

Repository: SingularityAI-Dev/covenant-md

Length of output: 156

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/ci.yml"

echo "== File lines 1-80 (numbered) =="
awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,80p'

echo
echo "== All uses: lines in workflow =="
rg -n "^[[:space:]]*uses:[[:space:]]*" "$FILE" || true

Repository: SingularityAI-Dev/covenant-md

Length of output: 888

🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh api repos/actions/checkout/commits/v4 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 114

🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh api repos/actions/setup-node/commits/v6 --jq '.sha'
gh api repos/actions/checkout/commits/v4 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 155

🏁 Script executed:

gh api repos/actions/setup-node/commits/v6 --jq '.sha'
gh api repos/actions/checkout/commits/v4 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 155

🏁 Script executed:

gh api repos/actions/setup-node/commits/v6 --jq '.sha'
gh api repos/actions/checkout/commits/v4 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 155

🏁 Script executed:

gh api repos/actions/setup-node/commits/v6 --jq '.sha'
gh api repos/actions/checkout/commits/v4 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 155

🏁 Script executed:

gh api repos/actions/setup-node/commits/v6 --jq '.sha'
gh api repos/actions/checkout/commits/v4 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 155

🏁 Script executed:

gh api repos/actions/setup-node/commits/v6 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 114

🏁 Script executed:

gh api repos/actions/setup-node/commits/v6 --jq '.sha'
gh api repos/actions/checkout/commits/v4 --jq '.sha'

Repository: SingularityAI-Dev/covenant-md

Length of output: 155

Pin actions/setup-node (and actions/checkout) to commit SHAs in .github/workflows/ci.yml.

@v6 / @v4 are mutable tags; pin to actions/setup-node 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e and actions/checkout 34e114876b0b11c390a56381ad16ebd13914f8d5.

Suggested change 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
           cache-dependency-path: package-lock.json
🧰 Tools
🪛 zizmor (1.25.2)

[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 19, Replace the mutable tags for GitHub
Actions with the specified commit SHAs: change the uses: entries for
actions/setup-node (currently "actions/setup-node@v6") and actions/checkout
(currently "actions/checkout@v4") to their pinned SHAs
("actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e" and
"actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" respectively) so the
workflow references immutable commits instead of floating tags.

with:
node-version: ${{ matrix.node-version }}
cache: npm
Expand Down
Loading