Skip to content

chore(ci): bump actions/setup-node from 4.4.0 to 6.4.0#79

Merged
justin-layerv merged 4 commits into
mainfrom
dependabot/github_actions/actions/setup-node-6.4.0
Apr 29, 2026
Merged

chore(ci): bump actions/setup-node from 4.4.0 to 6.4.0#79
justin-layerv merged 4 commits into
mainfrom
dependabot/github_actions/actions/setup-node-6.4.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 20, 2026
edited
Loading

Bumps actions/setup-node from 4.4.0 to 6.4.0.

Release notes

Sourced from actions/setup-node's releases.

v6.4.0

What's Changed

Dependency updates:

New Contributors

Full Changelog: actions/setup-node@v6...v6.4.0

v6.3.0

What's Changed

Enhancements:

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

Bug fixes:

New Contributors

Full Changelog: actions/setup-node@v6...v6.3.0

v6.2.0

What's Changed

Documentation

Dependency updates:

New Contributors

... (truncated)

Commits

@dependabot dependabot Bot added the dependencies Dependencies label Apr 20, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 20, 2026

Labels

The following labels could not be found: ci. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 20, 2026
edited
Loading

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/setup-node 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e 🟢 5.7
Details
CheckScoreReason
Maintained🟢 68 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 10all changesets reviewed
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 9binaries present in source code
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 1branch protection is not maximal on development and all release branches
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9

Scanned Files

  • .github/workflows/discord.yml

@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/setup-node-6.4.0 branch 2 times, most recently from 57f85f6 to 5421ca1 Compare April 21, 2026 05:48
@dependabot
chore(ci): bump actions/setup-node from 4.4.0 to 6.4.0
483ab11 
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.4.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@49933ea...48b55a0)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/setup-node-6.4.0 branch from 5421ca1 to 483ab11 Compare April 21, 2026 05:49
@claude
Copy link
Copy Markdown

claude Bot commented Apr 23, 2026

Review

Clean Dependabot bump — single-line change in .github/workflows/discord.yml, SHA-pinned with matching # v6.4.0 comment. Nothing to flag on code quality, bugs, performance, or test coverage (no app code touched).

Security

  • ✅ SHA pinning preserved (48b55a0…). I verified the SHA matches v6.4.0 on actions/setup-node.
  • ✅ No secrets or permission changes in this workflow step.

Notes on the jump from v4 → v6 (worth a quick sanity check before merging):

  • v5 dropped Node 16 support and changed partial-cache-hit behavior. Since this workflow reads the version from apps/discord/.nvmrc, make sure that file pins a version >= 18. If it's on 16, CI will break.
  • v6 bumped the internal actions/checkout dep to v6 and made minor changes to the always-auth registry configuration. The cache: 'npm' + cache-dependency-path usage here is unchanged and still supported.
  • v6.3.0 added devEngines parsing for node-version-file: package.json. Not applicable here (we use .nvmrc), so no behavior change.

Recommendation
Approve once the discord job passes green on this PR — that's the full signal that the Node version in .nvmrc is still compatible with v6. No other apps use setup-node, so blast radius is limited to the discord workflow.

🤖 Generated with Claude Code

@claude
Copy link
Copy Markdown

claude Bot commented Apr 27, 2026

Review — chore(ci): bump actions/setup-node from 4.4.0 to 6.4.0

Tiny, well-scoped Dependabot bump. One-line change in .github/workflows/discord.yml swapping the actions/setup-node SHA. Recommending approve with a couple of notes.

What looks good

  • SHA pinning preserved. 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e is the v6.4.0 release commit (matches Update Node.js versions in versions.yml and bump package to v6.4.0 actions/setup-node#1533), and the trailing # v6.4.0 comment was updated to match — keeps the supply-chain hardening intact.
  • Only consumer updated. actions/setup-node is referenced exactly once across .github/workflows/ (just discord.yml), so no sibling workflows are left behind on the older pin.
  • Real validation passed. The discord: Build and Test job — the only one that actually exercises this action — completed successfully on this PR, including the node-version-file: apps/discord/.nvmrc + cache: 'npm' path that's most affected by setup-node internals.
  • No code/runtime impact. Pure CI dependency bump; nothing in apps/, shared/, or Go sources is touched, so the linting/test-coverage rules from CLAUDE.md don't apply.

Worth a quick look before merging

  1. Major version jump v4 → v6 (skips v5). Skim of the release notes between v4.4.0 and v6.4.0 surfaces two changes worth being aware of, neither of which should affect this usage but are good to confirm:

    • v6.0: bumped Node runtime under the hood; no input-shape changes.
    • v6.3: when using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node. This PR uses .nvmrc, so unaffected — but worth knowing if anyone later flips the input over to package.json.
    • v5.0: removed the deprecated always-auth input. Not used in discord.yml, so safe.

  2. Failing check: Dependency Age Check (Actions). Not blocking the build job, but it's red on this PR. Worth a glance — if it's flagging a different action (not setup-node) as stale, this PR isn't the cause and can merge; if it's complaining about the new pin's age (unlikely — v6.4.0 is recent), that's a config issue in the age-check workflow itself, not this bump.

  3. Out of scope but noting: this repo's CI mostly pins by SHA; a couple of other dependabot bumps for sibling actions may be queued. Merging this in isolation is fine — just calling out that a periodic sweep keeps the age-check workflow happy.

Verdict

LGTM. Low-risk CI hygiene change, the build job that uses the action passes, and the SHA-pin discipline is preserved. Recommend merging once the unrelated age-check failure is triaged (or confirmed unrelated).

@claude
Copy link
Copy Markdown

claude Bot commented Apr 27, 2026

Review: Dependabot bump actions/setup-node v4.4.0 → v6.4.0

LGTM. Low-risk, scoped change.

What I checked:

  • Diff is one line in .github/workflows/discord.yml; the SHA 48b55a0 matches the upstream v6.4.0 tag, and the comment is updated to # v6.4.0 in lockstep with the SHA (good — keeps the pin auditable).
  • This is the only actions/setup-node reference in the repo (grep of .github/), so no other workflows need a matching bump.
  • apps/discord/.nvmrc pins Node 22.21.0, which is fully supported by setup-node v6.x.

Notes (non-blocking):

  • This is a major version jump (v4 → v6). The two breaking changes worth being aware of:
    • v6 runs on Node 24 runtime (action internals only — does not affect the Node version installed for the project).
    • v6.3.0 added support for parsing the devEngines.runtime field in package.json and now prefers it over engines.node when node-version-file: package.json is used. Not a concern here since the workflow points at .nvmrc, not package.json.
  • No code, test, or security-surface changes — CI passing is sufficient signal.

Approving on merge once green.

@justin-layerv justin-layerv merged commit dc33c58 into main Apr 29, 2026
23 checks passed
@justin-layerv justin-layerv deleted the dependabot/github_actions/actions/setup-node-6.4.0 branch April 29, 2026 19:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justin-layerv justin-layerv justin-layerv approved these changes

@Kevin-layerV Kevin-layerV Awaiting requested review from Kevin-layerV Kevin-layerV is a code owner

@vikramlayerv vikramlayerv Awaiting requested review from vikramlayerv vikramlayerv is a code owner

Assignees

No one assigned

Labels

dependencies Dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@justin-layerv