build(deps): bump the actions-core group across 1 directory with 2 updates

[dependabot]

Bumps the actions-core group with 2 updates in the / directory: actions/checkout and actions/setup-node.

Updates actions/checkout from 4 to 6

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• Additional commits viewable in compare view

Updates actions/setup-node from 4 to 6

Release notes

Sourced from actions/setup-node's releases.

v6.0.0

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in actions/setup-node#1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #1362

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in actions/setup-node#1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in actions/setup-node#1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in actions/setup-node#1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in actions/setup-node#1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in actions/setup-node#1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in actions/setup-node#1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-node#1345

New Contributors

• @​priya-kinthali made their first contribution in actions/setup-node#1348
• @​salmanmkc made their first contribution in actions/setup-node#1325

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

... (truncated)

Commits

• 48b55a0 Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)
• ab72c7e Upgrade @​actions dependencies (#1525)
• 53b8394 Bump minimatch from 3.1.2 to 3.1.5 (#1498)
• 54045ab Scope test lockfiles by package manager and update cache tests (#1495)
• c882bff Replace uuid with crypto.randomUUID() (#1378)
• 774c1d6 feat(node-version-file): support parsing devEngines field (#1283)
• efcb663 fix: remove hardcoded bearer (#1467)
• d02c89d Fix npm audit issues (#1491)
• 6044e13 Docs: bump actions/checkout from v5 to v6 (#1468)
• 8e49463 Fix README typo (#1226)
• Additional commits viewable in compare view

[dependabot]

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[julianken-bot]

Verdict: APPROVE — Two-file v4→v6 bump to actions/checkout + actions/setup-node, completing alignment with the eight workflows already on v6. R1/R2 verification confirms the v6 persisted-credentials path change does not bite this repo: no Docker container actions present.

What I verified (this turn)

• git grep -n "actions/checkout\|actions/setup-node" pr-304-review -- .github/workflows/ → all 10 workflows on @v6 post-merge; no v4 stragglers remain
• grep -rn "container:" .github/workflows/ → 0 matches; no Docker container actions consume the previously-persisted creds (the v6 release-notes risk surface)
• grep -rn "runs-on:" .github/workflows/ → all 12 jobs on ubuntu-latest (GitHub-hosted, runner ≥ v2.334 > the v2.329 v6 minimum)
• python3 -c "import json,sys;p=json.load(sys.stdin);print(p.get(\"packageManager\"))" < package.json → None, so the setup-node v5/v6 automatic-caching breaking change (limited to npm in v6) does not apply; explicit cache: pnpm input remains supported in v6 per actions/setup-node action.yml on main
• gh pr checks 304 → 12/12 required checks pass on the head SHA (ESLint, TypeScript, Vitest, Next.js Build, Analyze Bundle, CodeQL, E2E shards 1–4)

Findings (0)

None. Mandatory second-pass read surfaced no real issues. Pre-existing patterns I considered but did not flag (R7): pnpm version: 9 is unpinned to a minor, and actions are pinned by major rather than commit SHA — both predate this PR and apply uniformly across all nine pnpm/action-setup invocations and the eight already-v6 workflow refs.

Bottom line: ready to merge.

---

Reviewer: @julianken-bot (opus) — fresh-context subagent dispatched via the reviewing-as-julianken-bot skill. Verdict above is binding regardless of GitHub's review label.

[julianken-bot]

@Mergifyio queue

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-05-18 00:59 UTC · Rule: default
• ✅ Checks passed · in-place
• ✅ Merged — 2026-05-18 01:13 UTC · at 2fc9adaf922ab58d250c2c7da7431005ee17690e · squash

This pull request spent 14 minutes 6 seconds in the queue, including 2 minutes 58 seconds running CI.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • build(deps): bump the actions-core group across 1 directory with 2 updates #304
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • build(deps): bump the actions-core group across 1 directory with 2 updates #304
• github-review-decision = APPROVED [🛡 GitHub branch protection]
  • build(deps): bump the actions-core group across 1 directory with 2 updates #304
• any of [🛡 GitHub branch protection]:
  • check-success = ESLint
  • check-neutral = ESLint
  • check-skipped = ESLint
• any of [🛡 GitHub branch protection]:
  • check-success = TypeScript
  • check-neutral = TypeScript
  • check-skipped = TypeScript
• any of [🛡 GitHub branch protection]:
  • check-success = Vitest
  • check-neutral = Vitest
  • check-skipped = Vitest
• any of [🛡 GitHub branch protection]:
  • check-success = Next.js Build
  • check-neutral = Next.js Build
  • check-skipped = Next.js Build
• any of [🛡 GitHub branch protection]:
  • check-success = Analyze Bundle
  • check-neutral = Analyze Bundle
  • check-skipped = Analyze Bundle
• any of [🛡 GitHub branch protection]:
  • check-success = CodeQL Analysis
  • check-neutral = CodeQL Analysis
  • check-skipped = CodeQL Analysis
• any of [🛡 GitHub branch protection]:
  • check-success = E2E Shard 1/4
  • check-neutral = E2E Shard 1/4
  • check-skipped = E2E Shard 1/4
• any of [🛡 GitHub branch protection]:
  • check-success = E2E Shard 2/4
  • check-neutral = E2E Shard 2/4
  • check-skipped = E2E Shard 2/4
• any of [🛡 GitHub branch protection]:
  • check-success = E2E Shard 3/4
  • check-neutral = E2E Shard 3/4
  • check-skipped = E2E Shard 3/4
• any of [🛡 GitHub branch protection]:
  • check-success = E2E Shard 4/4
  • check-neutral = E2E Shard 4/4
  • check-skipped = E2E Shard 4/4