chore(deps): update actions/setup-node action to v6

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/setup-node	action	major	v5.0.0 -> v6.0.0

---

Release Notes

actions/setup-node (actions/setup-node)

v6.0.0

Compare Source

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in #​1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #​1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #​1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #​1362

Full Changelog: actions/setup-node@v5...v6.0.0

---

Configuration

📅 Schedule: Branch creation - "before 4am on Thursday" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate using a curated preset maintained by mheob. View repository job log here

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
tsg-irlich-web	Ready	Preview	Comment	Oct 20, 2025 11:35am
tsg-irlich-web-studio	Ready	Preview	Comment	Oct 20, 2025 11:35am

💡 Enable Vercel Agent with $100 free credit for automated AI reviews

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Pull Request Review: Update actions/setup-node to v6

Summary

This PR updates actions/setup-node from v5.0.0 to v6.0.0 in the CI workflow. The change is minimal (one line) but includes a breaking change that needs consideration.

---

✅ Code Quality & Best Practices

• Good: Proper use of commit SHA pinning (2028fbc5c25fe9cf00d9f06a71cc4710d4507903) for security
• Good: Inline comment preserves version number for easy reference
• Good: Conventional commit format follows project standards

---

⚠️ Breaking Changes & Compatibility

Key Breaking Change in v6.0.0:
According to the release notes, v6 limits automatic caching to npm only. Previously, the action supported automatic caching for pnpm, yarn, and npm.

Impact on this project:

• This workflow uses cache: pnpm parameter (line 24)
• The explicit cache: pnpm parameter should still work as it's explicitly configured
• However, this is a behavioral change that requires testing

Recommendation:
✅ This PR should be safe to merge, but verify that:

1. The CI workflow runs successfully with pnpm caching
2. Build times don't significantly increase (indicating cache not working)
3. The cache restore/save steps complete as expected in the workflow logs

---

🔒 Security

• ✅ Using commit SHA for action version is security best practice
• ✅ No security concerns introduced by this change

---

🚀 Performance

• ✅ Cache configuration is preserved (cache: pnpm)
• ℹ️ Monitor first runs after merge to ensure caching works correctly
• ℹ️ If caching breaks, may see slower CI times (should restore from pnpm cache)

---

📋 Testing Checklist

Before merging, verify in the CI run logs:

• Workflow completes successfully
• Cache is properly restored (look for "Cache restored successfully" message)
• Build time is comparable to previous runs
• No warnings about unsupported cache type

---

🎯 Verdict

LGTM with monitoring - The change looks good to merge. The explicit cache: pnpm parameter should continue to work despite the breaking change to automatic detection. Just monitor the first few CI runs to ensure caching behaves as expected.

If pnpm caching stops working after this update, we can:

1. Manually set up caching using actions/cache
2. Switch to pnpm/action-setup cache capabilities
3. Report the issue to the actions/setup-node repository

---

Review generated with Claude Code

[claude]

PR Review: Update actions/setup-node to v6

Summary

This PR updates actions/setup-node from v5.0.0 to v6.0.0. While the change itself is straightforward, there is a critical breaking change that affects this repository.

---

⚠️ Critical Issue: Breaking Change with pnpm Caching

Problem: According to the release notes, v6.0.0 includes a breaking change: "Limit automatic caching to npm" (#1374).

Impact: The workflow currently uses:

- name: Use Node.js
  uses: actions/setup-node@v6.0.0
  with:
    cache: pnpm  # ⚠️ This may no longer work as expected
    node-version-file: .nvmrc

Location: .github/workflows/check.yml:22-25

Recommendation: Since this repository uses pnpm (as specified in the project setup), you should:

1. Test the workflow after merging to ensure pnpm caching still works properly
2. Alternative approach: Consider using the dedicated pnpm/action-setup@v4 caching mechanism instead, which already appears earlier in the workflow (line 19). The pnpm action has built-in caching support that may be more reliable.
3. Monitor CI performance: Watch for any increase in dependency installation time, which would indicate caching is not working

---

✅ Positive Aspects

1. Security: Using commit SHA (2028fbc5c25fe9cf00d9f06a71cc4710d4507903) instead of tag reference is excellent security practice - prevents tag manipulation attacks
2. Automated updates: Renovate bot keeps dependencies current automatically
3. Minimal change: Single line change reduces risk of introducing bugs
4. Version comment: Inline comment # v6.0.0 maintains human readability

---

📋 Additional Checks

Consistency: I verified that this is the only usage of actions/setup-node in the repository (checked all workflow files). ✓

No other workflows affected: Only .github/workflows/check.yml uses this action. ✓

---

🎯 Recommendation

Before merging:

• ⚠️ Be prepared to monitor the first CI run after merging for potential caching issues
• Consider explicitly testing if pnpm cache still works, or switch to relying on pnpm/action-setup@v4's caching

After merging:

• Watch the workflow run time to ensure caching is functioning properly
• If caching breaks, you may need to remove the cache: pnpm parameter or implement an alternative caching strategy

---

Overall Assessment

The code change itself is technically correct and follows security best practices. However, due to the breaking change in v6 regarding non-npm package manager caching, this PR should be merged with caution and monitored closely.

Verdict: ⚠️ Approve with monitoring - Safe to merge, but verify caching works in the first run.

---

🤖 Generated with Claude Code

[claude]

PR Review: Update actions/setup-node to v6

Summary

This PR updates the actions/setup-node GitHub Action from v5.0.0 to v6.0.0 in the CI workflow. The change is minimal and focused, but there are important considerations regarding the breaking changes in v6.

---

Code Quality & Best Practices ✅

Positives:

• ✅ Properly pinned commit SHA for security (2028fbc5c25fe9cf00d9f06a71cc4710d4507903)
• ✅ Maintains version comment # v6.0.0 for readability
• ✅ Follows repository's practice of using SHA-pinned actions
• ✅ Generated by Renovate with proper automation setup

---

Potential Issues ⚠️

Breaking Change Alert:

The v6.0.0 release contains a breaking change regarding automatic caching:

"Limit automatic caching to npm" - PR #1374

Current Configuration:

- uses: actions/setup-node@v6.0.0
  with:
    cache: pnpm  # ✅ Explicitly specified
    node-version-file: .nvmrc

Impact Analysis:
✅ No impact on this repository - You're already explicitly specifying cache: pnpm, so the workflow will continue to work correctly. The breaking change only affects workflows that relied on automatic cache detection without the cache parameter.

Recommendation:

• ✅ Safe to merge as-is
• The explicit cache: pnpm configuration protects you from the breaking change
• This is actually following best practices by being explicit rather than relying on automatic detection

---

Performance Considerations ✅

Positive:

• Maintains pnpm caching, so no performance regression expected
• The cache: pnpm parameter ensures dependency caching continues to work
• Build times should remain consistent

---

Security Concerns ✅

Positives:

• ✅ SHA-pinned action prevents supply chain attacks
• ✅ Renovate's automated update with the curated preset provides timely security updates
• ✅ v6.0.0 includes dependency upgrades (prettier 2.8.8 → 3.6.2, ts-jest 29.1.2 → 29.4.1)

Note: Using commit SHAs instead of tags is a security best practice, and this PR maintains that pattern.

---

Verification Steps

Before merging, verify that:

1. ✅ The CI workflow completes successfully with pnpm caching working
2. ✅ Build times are comparable to previous runs
3. ✅ No cache-related warnings appear in the workflow logs

---

Conclusion

✅ LGTM - Safe to merge

This is a straightforward dependency update with no negative impact. The workflow is already protected from the v6 breaking change by explicitly specifying cache: pnpm. The SHA-pinning and automated Renovate updates demonstrate good DevOps practices.

Confidence Level: High - No code changes required.

[claude]

PR Review: Update actions/setup-node to v6

Summary

This PR updates actions/setup-node from v5.0.0 to v6.0.0 in the GitHub Actions workflow. The change is minimal (1 addition, 1 deletion) and appears to be a Renovate-automated dependency update.

✅ Code Quality & Best Practices

• Good: The PR uses commit SHA pinning with version comments (# v6.0.0) which is a security best practice for GitHub Actions
• Good: The workflow configuration correctly specifies cache: pnpm which aligns with the project's package manager
• Good: Uses .nvmrc for Node.js version management, ensuring consistency across environments

⚠️ Breaking Changes to Review

According to the release notes, v6.0.0 introduces a breaking change:

"Limit automatic caching to npm, update workflows and documentation"

Impact Assessment: ✅ No Issues

• Your workflow explicitly uses cache: pnpm (line 24 of check.yml)
• The breaking change only affects workflows that rely on automatic cache detection without explicit configuration
• Since you're explicitly specifying the cache type, this change will not affect your setup

🔒 Security

• Good: Commit SHA pinning (2028fbc5c25fe9cf00d9f06a71cc4710d4507903) prevents supply chain attacks
• Verified: The commit SHA corresponds to the official v6.0.0 tag from actions/setup-node

⚡ Performance

• No performance concerns; dependency upgrades in setup-node v6 may include minor improvements
• Caching behavior remains unchanged for your explicit pnpm configuration

🐛 Potential Issues

None identified. The update is straightforward and safe.

✅ Compatibility Check

• ✅ Project uses pnpm@10.18.3 - fully supported by setup-node v6
• ✅ Project requires Node.js ^22.20.0 - compatible with setup-node v6
• ✅ Explicit cache configuration prevents breaking change issues
• ✅ No other workflows need updating (only workflow using setup-node)

📋 Recommendations

1. Merge with confidence - This is a safe upgrade
2. Monitor the first CI run after merge to confirm caching works as expected
3. Consider enabling Renovate's automerge for patch/minor action updates if you trust the automated process

Final Verdict

✅ APPROVED - This PR is safe to merge. The breaking change in v6.0.0 does not affect this repository due to explicit cache configuration.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[claude]

PR Review: Update actions/setup-node to v6

Summary

This PR updates actions/setup-node from v5.0.0 to v6.0.0 in the CI workflow. Overall, this is a safe and recommended update with one important consideration.

---

✅ What's Good

1. Security & Maintenance: Using pinned commit SHA (2028fbc5c25fe9cf00d9f06a71cc4710d4507903) is excellent security practice - prevents supply chain attacks while maintaining version clarity with the comment.

2. Breaking Change is Compatible: The major breaking change in v6 (limiting automatic caching to npm only) does not affect this project because:

   • The workflow explicitly specifies cache: pnpm in the action configuration (.github/workflows/check.yml:24)
   • Explicit cache configuration overrides the default behavior
   • pnpm is still supported, just no longer auto-detected

3. Configuration Correct: The workflow properly uses:

   • node-version-file: .nvmrc pointing to Node.js 22.20.0
   • Explicit cache: pnpm configuration
   • pnpm is installed before setup-node runs

---

📋 Observations

No Issues Found

The change is minimal (1 line), well-scoped, and properly configured. The workflow will continue to function correctly with pnpm caching.

Related Files Not Affected:

• .github/workflows/sonar.yml doesn't use setup-node
• .github/workflows/claude-code-review.yml (this workflow) doesn't use setup-node

---

🎯 Recommendation

APPROVE - This PR is safe to merge.

The update brings dependency freshness and the workflow configuration is fully compatible with the breaking changes introduced in v6.

---

Review completed by Claude Code 🤖