chore: bump actions/setup-node from v4.4.0 to v6.4.0 (Node.js 24)

[ant-kurt]

Bumps base-action's actions/setup-node v4.4.0 → v6.4.0. v4 runs on the deprecated Node 20 action runtime and triggers a deprecation warning on every run; v6 runs on Node 24. (Companion to #1183, which covered setup-bun.)

Also adds package-manager-cache: false: setup-node v5+ auto-enables caching when the target repo's package.json has a packageManager field, which would activate in user repos even with use_node_cache=false (and can fail without a lockfile). This keeps caching opt-in, exactly as in v4.

🤖 Generated with Claude Code

[claude]

LGTM — the v6.4.0 SHA pin matches the official tag and the package-manager-cache: false addition addresses the auto-caching regression I flagged earlier, keeping caching opt-in via use_node_cache.

Extended reasoning...

Overview

This PR is a two-line change to base-action/action.yml: it bumps the SHA-pinned actions/setup-node from v4.4.0 to v6.4.0 (moving off the deprecated Node 20 action runtime) and adds package-manager-cache: false to the step's with: block. I verified the pinned commit 48b55a01... resolves to the official v6.4.0 tag in actions/setup-node.

Security risks

None introduced. The action remains pinned to a full commit SHA from the first-party actions/setup-node repository, which matches the published release tag, so there is no supply-chain or tag-mutation exposure beyond what already existed. No secrets, permissions, or auth paths are touched.

Level of scrutiny

The file is the entry point for all consumers of the base action, so behavioral regressions matter. The one known behavioral change in setup-node v5+/v6 — auto-enabling package-manager caching from the consumer repo's packageManager field, which I flagged in a prior review run — is explicitly neutralized by package-manager-cache: false, preserving the existing use_node_cache opt-in contract exactly as in v4. The remaining change is the action runtime moving from Node 20 to Node 24, which is the forced migration GitHub is driving via deprecation warnings; the installed Node version for the workflow (NODE_VERSION || '18.x') is unaffected.

Other factors

The bug hunting system found no issues on this revision, and my earlier inline comment has been addressed by the diff itself. The change mirrors the established pattern from the companion setup-bun bump (#1183): SHA-pinned upgrade with a release-tag comment. Given the small, mechanical scope and that the only known regression vector is mitigated, this is safe to approve.

[claude]

LGTM — the v6.4.0 SHA pin is verified against the upstream tag, and the auto-caching concern from the earlier review is resolved by the explicit package-manager-cache: false.

Extended reasoning...

Overview

This PR touches a single file, base-action/action.yml, bumping the pinned actions/setup-node from v4.4.0 to v6.4.0 and adding package-manager-cache: false to the step's with: block. I verified that the pinned commit 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e matches the upstream v6.4.0 tag in actions/setup-node, so the SHA pin is genuine.

Security risks

Minimal. The action remains pinned to a full commit SHA of an official GitHub-maintained action, which preserves supply-chain integrity. No secrets, permissions, or auth flows are touched. The main behavioral risk of the v5+/v6 line — auto-enabled npm caching driven by the consumer repo's packageManager field, which could fail workflows lacking a lockfile — is explicitly disabled via package-manager-cache: false, keeping caching gated solely by the existing use_node_cache input as in v4.

Level of scrutiny

Low-to-moderate: it's a dependency version bump in a composite action used by downstream consumers, so behavior-preservation matters, but the diff is two lines and the only known behavior change in the new major versions (auto package-manager caching) is neutralized. The earlier review feedback on this exact issue was addressed on the PR head, and the inline thread is resolved.

Other factors

The bug hunting system found no issues on the current revision. The change follows the same pattern as the prior setup-bun bump (#1183) and aligns with the repo's existing convention of SHA-pinned actions with version-tag comments. Node 18.x remains the installed runtime version; only the action's own execution runtime moves to Node 24, which is the stated goal of removing the deprecation warning.