chore(deps): update github actions major (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v4 → 7.0.0
actions/setup-node	action	major	v4 → 6.4.0
googleapis/release-please-action	action	major	v4 → 5.0.0
pnpm/action-setup	action	major	v4 → 6.0.9

---

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

• Add worktree support for persist-credentials includeIf by @​ericsciple in #​2327

v6.0.0

Compare Source

• Persist creds to a separate file by @​ericsciple in #​2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in #​2248

v5.0.1

Compare Source

• Port v6 cleanup to v5 by @​ericsciple in #​2301

v5.0.0

Compare Source

• Update actions checkout to use node 24 by @​salmanmkc in #​2226

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

What's Changed

Dependency updates:

• Upgrade @​actions dependencies by @​Copilot in #​1525
• Update Node.js versions in versions.yml and bump package to v6.4.0 by @​priya-kinthali in #​1533

New Contributors

• @​Copilot made their first contribution in #​1525

Full Changelog: actions/setup-node@v6...v6.4.0

v6.3.0

Compare Source

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in #​1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in #​1491
• Replace uuid with crypto.randomUUID() by @​trivikr in #​1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in #​1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in #​1495

New Contributors

• @​susnux made their first contribution in #​1283

Full Changelog: actions/setup-node@v6...v6.3.0

v6.2.0

Compare Source

What's Changed

Documentation

• Documentation update related to absence of Lockfile by @​mahabaleshwars in #​1454
• Correct mirror option typos by @​MikeMcC399 in #​1442
• Readme update on checkout version v6 by @​deining in #​1446
• Readme typo fixes @​munyari in #​1226
• Advanced document update on checkout version v6 by @​aparnajyothi-y in #​1468

Dependency updates:

• Upgrade @​actions/cache to v5.0.1 by @​salmanmkc in #​1449

New Contributors

• @​mahabaleshwars made their first contribution in #​1454
• @​MikeMcC399 made their first contribution in #​1442
• @​deining made their first contribution in #​1446
• @​munyari made their first contribution in #​1226

Full Changelog: actions/setup-node@v6...v6.2.0

v6.1.0

Compare Source

What's Changed

Enhancement:

• Remove always-auth configuration handling by @​priyagupta108 in #​1436

Dependency updates:

• Upgrade @​actions/cache from 4.0.3 to 4.1.0 by @​dependabot[bot] in #​1384
• Upgrade actions/checkout from 5 to 6 by @​dependabot[bot] in #​1439
• Upgrade js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​1435

Documentation update:

• Add example for restore-only cache in documentation by @​aparnajyothi-y in #​1419

Full Changelog: actions/setup-node@v6...v6.1.0

v6.0.0

Compare Source

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in #​1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #​1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #​1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #​1362

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

Compare Source

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in #​1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in #​1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in #​1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in #​1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in #​1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in #​1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in #​1345

New Contributors

• @​priya-kinthali made their first contribution in #​1348
• @​salmanmkc made their first contribution in #​1325

Full Changelog: actions/setup-node@v4...v5.0.0

googleapis/release-please-action (googleapis/release-please-action)

v5.0.0

Compare Source

⚠ BREAKING CHANGES

• upgrade to node24 (#​1188)

Features

• upgrade to node24 (#​1188) (46dfc01)

Bug Fixes

• bump release-please from 17.3.0 to 17.6.0 (#​1199) (f533c26)

pnpm/action-setup (pnpm/action-setup)

v6.0.9

Compare Source

What's Changed

• fix: update pnpm to v11.7.0 by @​zkochan in #​267

Full Changelog: pnpm/action-setup@v6...v6.0.9

v6.0.8

Compare Source

What's Changed

• docs(README): fix cache_dependency_path type by @​haines in #​257
• fix: drop patchPnpmEnv so standalone+self-update works on Windows by @​zkochan in #​258
• fix: update pnpm to 11.1.1 by @​mungodewar in #​248

New Contributors

• @​mungodewar made their first contribution in #​248

Full Changelog: pnpm/action-setup@v6.0.7...v6.0.8

v6.0.7

Compare Source

What's Changed

• fix: honor devEngines.packageManager.onFail=error (#​252) by @​zkochan in #​254
• fix: restore inputs from state in post by @​haines in #​255
• fix: self-update bootstrap to packageManager-pinned version (#​233) by @​zkochan in #​256

New Contributors

• @​haines made their first contribution in #​255

Full Changelog: pnpm/action-setup@v6.0.6...v6.0.7

v6.0.6

Compare Source

What's Changed

• fix: bin_dest output points to self-updated pnpm, not bootstrap by @​zkochan in #​249

Full Changelog: pnpm/action-setup@v6.0.5...v6.0.6

v6.0.5

Compare Source

What's Changed

• fix: append (not prepend) action node dir to PATH for npm bootstrap by @​zkochan in #​241

Full Changelog: pnpm/action-setup@v6.0.4...v6.0.5

v6.0.4

Compare Source

What's Changed

• fix: use npm co-located with the action node binary by @​benquarmby in #​239

New Contributors

• @​benquarmby made their first contribution in #​239

Full Changelog: pnpm/action-setup@v6.0.3...v6.0.4

v6.0.3

Compare Source

Updated pnpm to v11.0.0-rc.5

Full Changelog: pnpm/action-setup@v6.0.2...v6.0.3

v6.0.2

Compare Source

What's Changed

• fix: pnpm self-update binary shadowed by bootstrap on PATH by @​oniani1 in #​230

New Contributors

• @​oniani1 made their first contribution in #​230

Full Changelog: pnpm/action-setup@v6.0.1...v6.0.2

v6.0.1

Compare Source

Update pnpm to v11.0.0-rc.2. pnpm-lock.yaml will not be saved with two documents unless the packageManager is set via devEngines.packageManager. Related issue: #​228

v6.0.0

Compare Source

Added support for pnpm v11.

v5.0.0

Compare Source

Updated the action to use Node.js 24.

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • "on the 15th day of the month before 12pm"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[greptile-apps]

Greptile Summary

This PR updates four GitHub Actions to new major versions across all workflow files, with all actions pinned to full commit SHAs for supply-chain security.

• actions/checkout: pinned SHA resolves to 7.0.0, though the PR description table lists the target as 6.0.3 (with 7.0.0 shown as "Pending") — reviewers should be aware they are actually adopting 7.0.0.
• actions/setup-node (v4→6.4.0) and pnpm/action-setup (v4→6.0.9): both skip intermediate major versions; the explicit cache: pnpm configuration in CI and release workflows is unaffected by the setup-node v6 breaking change, which only limits automatic (packageManager-field) caching to npm.
• googleapis/release-please-action (v4→5.0.0): straightforward upgrade, SHA and version comment are consistent.

Confidence Score: 4/5

Safe to merge once reviewers confirm they intend to adopt actions/checkout 7.0.0 rather than 6.0.3

All changes are GitHub Actions version bumps pinned to full SHA hashes. The only concern is that Renovate's PR description states the actions/checkout target is 6.0.3, but the pinned SHA resolves to 7.0.0 — meaning the team may be inadvertently adopting a version they haven't evaluated. The rest of the upgrades (setup-node 6.4.0, pnpm/action-setup 6.0.9, release-please-action 5.0.0) have consistent SHA/version comments and no functional regressions expected.

ci.yml, release.yml, and socket-tier1-analysis.yml — the actions/checkout SHA in all three resolves to 7.0.0, one major version ahead of what the PR description advertises

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Bumps actions/checkout (v4→7.0.0), pnpm/action-setup (v4→6.0.9), and actions/setup-node (v4→6.4.0); the checkout SHA resolves to 7.0.0 while the PR description claims 6.0.3
.github/workflows/release-please.yml	Bumps googleapis/release-please-action from v4 to 5.0.0; version and SHA comment match the PR description
.github/workflows/release.yml	Same action version bumps as ci.yml; same actions/checkout 7.0.0 vs 6.0.3 discrepancy applies
.github/workflows/socket-tier1-analysis.yml	Bumps actions/checkout only; same 7.0.0 SHA discrepancy vs the 6.0.3 target in the PR description

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push / PR event] --> B[ci.yml]
    B --> C[checkout v7.0.0]
    C --> D[pnpm-setup v6.0.9]
    D --> E[setup-node v6.4.0 with pnpm cache]
    E --> F[install, lint, format, typecheck, build, test]

    G[release-please.yml] --> H[release-please-action v5.0.0]
    H --> I{release created?}
    I -- yes --> J[release.yml]
    J --> K[checkout v7.0.0]
    K --> L[pnpm-setup v6.0.9]
    L --> M[setup-node v6.4.0 with pnpm cache]
    M --> N[build and publish to npm]

    O[socket-tier1-analysis.yml] --> P[checkout v7.0.0]
    P --> Q[Socket CLI tier-1 scan]

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[Push / PR event] --> B[ci.yml]
    B --> C[checkout v7.0.0]
    C --> D[pnpm-setup v6.0.9]
    D --> E[setup-node v6.4.0 with pnpm cache]
    E --> F[install, lint, format, typecheck, build, test]

    G[release-please.yml] --> H[release-please-action v5.0.0]
    H --> I{release created?}
    I -- yes --> J[release.yml]
    J --> K[checkout v7.0.0]
    K --> L[pnpm-setup v6.0.9]
    L --> M[setup-node v6.4.0 with pnpm cache]
    M --> N[build and publish to npm]

    O[socket-tier1-analysis.yml] --> P[checkout v7.0.0]
    P --> Q[Socket CLI tier-1 scan]

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
.github/workflows/ci.yml:16
**`actions/checkout` pinned to `7.0.0`, not `6.0.3` as described**

The PR description's table lists the target version for `actions/checkout` as `6.0.3` (with `7.0.0` as "Pending"), but the SHA `9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0` corresponds to `7.0.0` per the inline comment. Renovate appears to have updated the pinned SHA after generating the PR description. The same discrepancy exists in `release.yml` and `socket-tier1-analysis.yml`. This means merging this PR will actually adopt `actions/checkout@7.0.0`, not `6.0.3` — reviewers should evaluate the `7.0.0` changelog (not just `6.0.3`) before approving.

_{Reviews (3): Last reviewed commit: "chore(deps): update github actions major" | Re-trigger Greptile}

[greptile-apps]

actions/checkout pinned to 7.0.0, not 6.0.3 as described

The PR description's table lists the target version for actions/checkout as 6.0.3 (with 7.0.0 as "Pending"), but the SHA 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 corresponds to 7.0.0 per the inline comment. Renovate appears to have updated the pinned SHA after generating the PR description. The same discrepancy exists in release.yml and socket-tier1-analysis.yml. This means merging this PR will actually adopt actions/checkout@7.0.0, not 6.0.3 — reviewers should evaluate the 7.0.0 changelog (not just 6.0.3) before approving.

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/ci.yml
Line: 16

Comment:
**`actions/checkout` pinned to `7.0.0`, not `6.0.3` as described**

The PR description's table lists the target version for `actions/checkout` as `6.0.3` (with `7.0.0` as "Pending"), but the SHA `9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0` corresponds to `7.0.0` per the inline comment. Renovate appears to have updated the pinned SHA after generating the PR description. The same discrepancy exists in `release.yml` and `socket-tier1-analysis.yml`. This means merging this PR will actually adopt `actions/checkout@7.0.0`, not `6.0.3` — reviewers should evaluate the `7.0.0` changelog (not just `6.0.3`) before approving.

How can I resolve this? If you propose a fix, please make it concise.