chore(deps): bump the all-actions group with 2 updates

[dependabot]

Bumps the all-actions group with 2 updates: pnpm/action-setup and actions/setup-node.

Updates pnpm/action-setup from 6 to 6.0.3

Release notes

Sourced from pnpm/action-setup's releases.

v6.0.3

Updated pnpm to v11.0.0-rc.5

Full Changelog: pnpm/action-setup@v6.0.2...v6.0.3

v6.0.2

What's Changed

• fix: pnpm self-update binary shadowed by bootstrap on PATH by @​oniani1 in pnpm/action-setup#230

New Contributors

• @​oniani1 made their first contribution in pnpm/action-setup#230

Full Changelog: pnpm/action-setup@v6.0.1...v6.0.2

v6.0.1

Update pnpm to v11.0.0-rc.2. pnpm-lock.yaml will not be saved with two documents unless the packageManager is set via devEngines.packageManager. Related issue: pnpm/action-setup#228

Commits

• 1e1c8ea ci: pin github actions (#199)
• b9e1dbc fix(ci): exclude macos (#197)
• 61bc82c refactor: remove star imports (#196)
• e94b270 feat: store caching (#188)
• ee7b871 Clarify that package_json_file is relative to GITHUB_WORKSPACE (#184)
• 3a0024f Remove unused @types/node-fetch dependency (#186)
• 72f0451 Update README.md (#175)
• 41ff726 feat: support installation from custom NPM registry (#179)
• f2b2b23 Remove --frozen-lockfile from examples (#171)
• 77504a5 Fix multiline run_install example in README.md (#167)
• Additional commits viewable in compare view

Updates actions/setup-node from 6.3.0 to 6.4.0

Release notes

Sourced from actions/setup-node's releases.

v6.4.0

What's Changed

Dependency updates:

• Upgrade @​actions dependencies by @​Copilot in actions/setup-node#1525
• Update Node.js versions in versions.yml and bump package to v6.4.0 by @​priya-kinthali in actions/setup-node#1533

New Contributors

• @​Copilot made their first contribution in actions/setup-node#1525

Full Changelog: actions/setup-node@v6...v6.4.0

Commits

• 48b55a0 Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)
• ab72c7e Upgrade @​actions dependencies (#1525)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

---

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
nonda-web	Ready	Preview, Comment	May 14, 2026 4:35pm

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.

[Riku10145]

サプライチェーン / 実装影響レポート

Claude が PR の diff・対象 Action のリリース情報・利用箇所を確認した結果。

影響箇所

.github/workflows/ci.yml (lint job / typecheck job の 2 箇所) と .github/workflows/deploy-api.yml の合計 3 ステップで pnpm/action-setup と actions/setup-node を呼んでおり、本 PR でそれぞれ以下に更新される。

Action	変更前	変更後	種別
pnpm/action-setup	@v6 (major tag)	@v6.0.3 (patch pin)	実質的に セキュリティ強化
actions/setup-node	@v6.3.0	@v6.4.0	minor 相当の patch tag bump

サプライチェーン攻撃リスク評価

総合: 低。むしろ現状より少し安全になる。

• ✅ pnpm/action-setup の major tag → patch tag 化: @v6 のような major エイリアスはメンテナが任意のコミットへ再付替えできるため、コミット履歴が静かに差し替えられるリスクがある(tj-actions/changed-files 事案と同種の懸念)。本 PR で @v6.0.3 に固定されるのは前進。
• ⚠ 更に固めるなら SHA pinning: GitHub の OpenSSF 推奨は @<full-commit-sha> でのピン留め。本 PR 後でも @v6.0.3 タグは差し替え可能なので、よりハードに固めるなら別 PR で pnpm/action-setup@1e1c8ea... # v6.0.3 形式を検討可能(自プロジェクトでは過剰運用になり得るので任意)。
• ⚠ actions/setup-node@v6.4.0 の release contributor に @Copilot (bot): 1 件目の PR (Upgrade @actions dependencies actions/setup-node#1525) が Copilot による依存更新。生成 AI 由来の変更を Microsoft/actions 組織のレビューを経て merge した形で、actions 公式組織の管理下にあるため健全。2 件目 (#1533) はメンテナ priya-kinthali による Node.js バージョン表更新。
• ✅ いずれも公式ベンダー(pnpm 組織 / actions 組織)管理下で、フィッシング/タイポスクワッティングの余地はなし。

実装への影響

• ランタイム / アプリコードへの影響: なし (CI のみ)
• pnpm/action-setup@v6.0.3 は pnpm 11.0.0-rc.5 バンドル。ただし本リポジトリの package.json は packageManager: "pnpm@10.33.2" を宣言しているため、action は packageManager を尊重して 10.33.2 をインストールする(README 仕様どおり)。挙動は変わらない見込み。
• actions/setup-node@v6.4.0 の変更は内部依存更新 + Node.js バージョン表更新のみ。node-version: lts/* の解決結果が新しい LTS マイナーを指す可能性があるが、本リポジトリは型/lint/test/wrangler deploy のみで Node 固有の機能を踏むコードはなし。

推奨アクション

1. CI(ci.yml)が緑であることを確認。deploy-api.yml は手動トリガなのでマージ後の初回 deploy 時に注意。
2. 余裕があれば後追いで SHA pinning に切り替える PR を起こすと、Action タグ差し替え攻撃への耐性をさらに上げられる。
3. このまま merge して問題なし。

---

Generated by Claude Code