chore(deps): update actions/setup-node action to v6#182
chore(deps): update actions/setup-node action to v6#182renovate[bot] wants to merge 1 commit intomainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
renovate
bot
force-pushed
the
renovate/actions-setup-node-6.x
branch
from
fb6d7b0 to
5ae4e5b
Compare
renovate
bot
force-pushed
the
renovate/actions-setup-node-6.x
branch
from
5ae4e5b to
3888e7a
Compare
renovate
bot
force-pushed
the
renovate/actions-setup-node-6.x
branch
from
3888e7a to
87a8c0a
Compare
renovate
bot
force-pushed
the
renovate/actions-setup-node-6.x
branch
from
87a8c0a to
9b5cfcd
Compare
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
| - uses: actions/checkout@v5 | ||
| - run: corepack enable | ||
| - uses: actions/setup-node@v5 | ||
| - uses: actions/setup-node@v6 |
There was a problem hiding this comment.
| - uses: actions/setup-node@v6 | |
| - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 |
The actions/setup-node action is using a floating version tag (@v6) instead of a pinned commit hash, which is inconsistent with the approach used in ci.yml and introduces non-deterministic workflow behavior.
View Details
Analysis
Inconsistent GitHub Actions version pinning in playwright.yml
What fails: .github/workflows/playwright.yml line 21 uses a floating version tag actions/setup-node@v6 instead of a pinned commit hash, inconsistent with ci.yml which uses actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
How to reproduce: Examine the workflow files:
ci.yml: Uses pinned commit hash format for all actions (e.g.,actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0)playwright.yml: Line 21 uses floating tagactions/setup-node@v6
Result: Floating version tags resolve to the latest matching release at workflow runtime, causing non-deterministic behavior where different workflow runs may execute different patch versions of the action.
Expected: All workflows should use pinned commit hashes per GitHub's official security recommendation that "pinning an action to a full-length commit SHA is currently the only way to use an action as an immutable release." This prevents tag mutation attacks and ensures reproducible CI runs.
Fix applied: Updated line 21 to use the same pinned commit hash as ci.yml: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
renovate
bot
force-pushed
the
renovate/actions-setup-node-6.x
branch
from
9b5cfcd to
2195f24
Compare
This PR contains the following updates:
v5→v6v5.0.0→v6.2.0Release Notes
actions/setup-node (actions/setup-node)
v6Compare Source
Configuration
📅 Schedule: Branch creation - "on Monday" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.