⬆️ ci: Bump actions/setup-node from 4 to 6

[dependabot]

Bumps actions/setup-node from 4 to 6.

Release notes

Sourced from actions/setup-node's releases.

v6.0.0

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in actions/setup-node#1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #1362

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in actions/setup-node#1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in actions/setup-node#1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in actions/setup-node#1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in actions/setup-node#1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in actions/setup-node#1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in actions/setup-node#1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-node#1345

New Contributors

• @​priya-kinthali made their first contribution in actions/setup-node#1348
• @​salmanmkc made their first contribution in actions/setup-node#1325

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

... (truncated)

Commits

• 48b55a0 Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)
• ab72c7e Upgrade @​actions dependencies (#1525)
• 53b8394 Bump minimatch from 3.1.2 to 3.1.5 (#1498)
• 54045ab Scope test lockfiles by package manager and update cache tests (#1495)
• c882bff Replace uuid with crypto.randomUUID() (#1378)
• 774c1d6 feat(node-version-file): support parsing devEngines field (#1283)
• efcb663 fix: remove hardcoded bearer (#1467)
• d02c89d Fix npm audit issues (#1491)
• 6044e13 Docs: bump actions/checkout from v5 to v6 (#1468)
• 8e49463 Fix README typo (#1226)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

Notas de Lançamento

• Chores
  • Atualizado o workflow de integração contínua para usar a versão mais recente da ferramenta de configuração do ambiente Node.js, melhorando a compatibilidade e segurança do pipeline de CI/CD.

[dependabot]

Labels

The following labels could not be found: ci, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[coderabbitai]

📝 Walkthrough

Walkthrough

O workflow de CI/CD (.github/workflows/ci.yml) é atualizado para usar actions/setup-node@v6 em vez de @v4 nos quatro jobs que configuram o Node.js: lint-and-typecheck, test, build e security. O restante do pipeline permanece inalterado.

Changes

Atualização do setup-node para v6

Layer / File(s)	Resumo
Atualização de versão do setup-node em todos os jobs .github/workflows/ci.yml	A ação actions/setup-node é atualizada de @v4 para @v6 nos quatro jobs do workflow de CI/CD: lint-and-typecheck, test, build e security.

Estimated Code Review Effort

🎯 1 (Trivial) | ⏱️ ~3 minutos

Possibly Related PRs

• adm01-debug/Promo_Gifts#197: Ambos os PRs modificam diretamente o .github/workflows/ci.yml ao ajustar a versão do actions/setup-node no mesmo ponto do workflow.
• adm01-debug/Promo_Gifts#201: Ambos os PRs modificam o arquivo .github/workflows/ci.yml alterando versões do actions/setup-node nos mesmos jobs de CI.

Poem

🐰 Uma ação de setup-node, de v4 para v6
Quatro jobs alinhados, tudo perfeito, sem qualquer aperto,
O workflow respira fundo e segue seu percurso,
Modernização simples, mas sempre bem-vindo! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	O título está totalmente relacionado às mudanças no changeset, descrevendo claramente o principal objetivo: atualizar a action 'actions/setup-node' da versão 4 para 6.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

33-33: 🏗️ Heavy lift

Considere fixar as ações usando commit SHAs para maior segurança.

A ferramenta de análise estática detectou que as ações não estão fixadas em hashes de commit. Fixar ações em commit SHAs específicos (por exemplo, actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 em vez de @v6) protege contra ataques de manipulação de tags e garante imutabilidade.

Esta é uma prática recomendada para hardening de segurança em pipelines de CI/CD, especialmente para repositórios que lidam com dados sensíveis ou requerem conformidade rigorosa.

Also applies to: 61-61, 94-94, 140-140

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 33, Replace floating tags with pinned
commit SHAs for the GitHub Actions usages flagged (e.g., change uses:
actions/setup-node@v6 to the equivalent commit SHA form like
actions/setup-node@<commit-sha>); locate every occurrence of the uses:
actions/setup-node@v6 (and other unsecured uses: lines reported) and update them
to the exact commit SHA for that action release, verifying the SHA on the
action's GitHub repo and updating any other similar uses: entries flagged in the
file.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/ci.yml:
- Line 33: Replace floating tags with pinned commit SHAs for the GitHub Actions
usages flagged (e.g., change uses: actions/setup-node@v6 to the equivalent
commit SHA form like actions/setup-node@<commit-sha>); locate every occurrence
of the uses: actions/setup-node@v6 (and other unsecured uses: lines reported)
and update them to the exact commit SHA for that action release, verifying the
SHA on the action's GitHub repo and updating any other similar uses: entries
flagged in the file.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2edd69b4-a944-4513-89a6-434aa9aae2ef

📥 Commits

Reviewing files that changed from the base of the PR and between c37dcf6 and 884d506.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.