chore(deps): update github-actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending	Age	Adoption	Passing	Confidence
actions/checkout	action	patch	v6.0.2 → v6.0.3
actions/setup-node	action	minor	v6.3.0 → v6.4.0
cargo-bins/cargo-binstall	action	digest	d125de8 → 30b5ca8
codecov/codecov-action	action	patch	v6.0.0 → v6.0.1	v6.0.2
crate-ci/typos	action	minor	v1.46.2 → v1.47.2
github/codeql-action	action	digest	03e4368 → dd903d2
pnpm (source)	uses-with	minor	11.3.0 → 11.5.1	11.5.3 (+1)
pnpm/action-setup	action	patch	v6.0.5 → v6.0.8
taiki-e/install-action	action	minor	v2.75.18 → v2.81.3	v2.81.10 (+6)

---

Release Notes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

codecov/codecov-action (codecov/codecov-action)

v6.0.1

Compare Source

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in #​1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in #​1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

crate-ci/typos (crate-ci/typos)

v1.47.2

Compare Source

[1.47.2] - 2026-06-04

Fixes

• Don't correct inferrable
• Correct unused inferible variant

v1.47.1

Compare Source

[1.47.1] - 2026-06-03

Fixes

• Don't correct requestors

v1.47.0

Compare Source

[1.47.0] - 2026-05-29

Features

• Updated the dictionary with the May 2026 changes

v1.46.3

Compare Source

[1.46.3] - 2026-05-23

Fixes

• Don't correct to sequentials
• Don't correct to subdolder

pnpm/pnpm (pnpm)

v11.5.1

Compare Source

Patch Changes

• Improve pnpm audit performance by pruning non-vulnerable lockfile subtrees and stopping path enumeration once vulnerable findings reach the path cap.
• Avoid crashing when the workspace state cache is partially written or malformed.
• Set npm_config_user_agent for root lifecycle scripts during headless installs.
• Preserve the integrity field of a remote (non-registry) tarball dependency when its lockfile entry is rebuilt. Re-resolving such a dependency without re-fetching it (for example via pnpm update, or when another dependency changes) produced a resolution with no integrity — URL/tarball resolvers only learn the integrity after the tarball is downloaded — so the previously recorded integrity was dropped, making later installs fail with ERR_PNPM_MISSING_TARBALL_INTEGRITY #​12067.
• Normalize a string repository field into the { type, url } object form when creating the publish manifest, matching npm's behavior. Some registries (e.g. Gitea/Codeberg) reject a string repository with a 500 Internal Server Error during pnpm publish #​12099.
• Preserve compatible optional peer versions already present in the lockfile when resolving dependencies.
• Fixed inconsistent resolution of a peer dependency that is shared through a diamond. When a package peer-depends on both another package and one of that package's own peer dependencies (for example @typescript-eslint/eslint-plugin peer-depends on both @typescript-eslint/parser and typescript, and @typescript-eslint/parser peer-depends on typescript), pnpm no longer reuses a hoisted instance of the shared peer that was resolved against a different version #​12079.

v11.5.0

Compare Source

Minor Changes

• Added a new hoistingLimits setting for nodeLinker: hoisted installs, mirroring yarn's nmHoistingLimits. It accepts none (the default — hoist as far as possible), workspaces (hoist only as far as each workspace package), or dependencies (hoist only up to each workspace package's direct dependencies). Originally proposed in #​6468, closing #​6457.

• Replaced enquirer with @inquirer/prompts for all interactive prompts. Fixes the update -i scrolling overflow bug where long choice lists were clipped in the terminal #​6643.

  User-facing changes:

  • pnpm update -i / pnpm update -i --latest: Scrolling now works correctly when many packages are available; the new library uses visual-line-aware pagination via usePagination
  • pnpm audit --fix -i: Same scrolling fix for vulnerability selection
  • pnpm approve-builds: Interactive build approval prompts updated
  • pnpm patch: Version selection and "apply to all" prompts updated
  • pnpm patch-remove: Patch removal selection updated
  • pnpm publish: Branch confirmation prompt updated
  • pnpm login: Credential prompts updated
  • pnpm run / pnpm exec (with verifyDepsBeforeRun=prompt): Confirmation prompt updated

  Vim-style j/k keys still work for up/down navigation in all interactive prompts.

  Internal: The OtpEnquirer and LoginEnquirer DI interfaces changed from { prompt } to { input } / { input, password } respectively. Plugins or custom builds that inject their own enquirer mock will need to update.

• Staged publishes are now recognized in the trust scale. When a package version's registry metadata carries an approver field, it is treated as the strongest trust evidence (ranked above trusted publishers and provenance attestations), since staged publishes require 2FA publish approvals. This prevents false-positive trust downgrade errors when moving from a staged publish to a lower trust level #​11887.

Patch Changes

• Fix pnpm hanging during peer resolution when an aliased install pulls in transitive packages with mutual peer cycles at different depths in the dependency tree (for example, pnpm i nuxt@npm:nuxt-nightly@5x). Cycles whose members hit the findHit cache instead of running their own calculateDepPath are now short-circuited by sibling resolutions at the level where the cycle is detected, so the cached path promises no longer deadlock. #​11999.

• Fix pnpm dist-tag add and pnpm dist-tag rm against npmjs.org failing without --otp with [ERR_PNPM_UNAUTHORIZED] You must be logged in to set dist-tag … "You must provide a one-time pass. Upgrade your client to npm@latest in order to use 2FA.". pnpm now sends npm-auth-type: web on dist-tag writes and surfaces the resulting OTP challenge through the existing browser-based 2FA flow (the same withOtpHandling helper used by pnpm publish), so the browser opens, the user authenticates, and the dist-tag is set on retry. --otp=<code> continues to work via the classic flow.

• Fix minimumReleaseAgeExclude handling in npm resolution fast paths so excluded packages do not get pinned to stale versions. Excludes are honored consistently during publishedBy metadata selection and cache-mtime shortcuts.

• Fix the integrity field being dropped from the lockfile entry of a remote (non-registry) https-tarball dependency when an unrelated package is installed afterwards. URL/tarball resolvers do not return an integrity (it is only known after the tarball is downloaded), so when such a dependency was reused from the lockfile without being re-fetched, its integrity was lost. It is now carried over from the existing resolution. With pnpm's lockfile-integrity hardening, the missing integrity made subsequent --frozen-lockfile installs fail with ERR_PNPM_MISSING_TARBALL_INTEGRITY. #​12001.

• Skip dependency re-resolution when pnpm-lock.yaml is missing but node_modules/.pnpm/lock.yaml exists and still satisfies the manifest. pnpm install now reuses the materialized snapshot to regenerate pnpm-lock.yaml instead of walking the registry to rebuild it from scratch, turning the cache+node_modules variation into a near-no-op for users who deleted the lockfile but kept the install #​11993.

  --frozen-lockfile still refuses to proceed when pnpm-lock.yaml is absent — the regenerated lockfile must be committed, so failing loudly is the correct behavior for CI.

v11.4.0

Compare Source

Minor Changes

• Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

  pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

  The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

  --force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

• pnpm runtime set <name> <version> now saves the runtime to devEngines.runtime by default instead of engines.runtime. Pass --save-prod (or -P) to save it to engines.runtime instead #​11948.

Patch Changes

• Fix a credential disclosure issue where an unscoped _authToken (or _auth, or username + _password, or tokenHelper) defined in one source — ~/.npmrc, ~/.config/pnpm/auth.ini, a workspace .npmrc, CLI flags, etc. — would be sent as an Authorization header to whichever registry a different (potentially untrusted) source named. The same fix extends to client TLS credentials (cert, key) so they aren't presented to a registry their author didn't choose.

  pnpm now rewrites each unscoped per-registry setting (_authToken, _auth, username, _password, tokenHelper, cert, key) to its URL-scoped form at load time, using the registry= value declared in the same source (or the npmjs default registry if the source declares none). A later layer overriding registry= therefore cannot pull an unscoped credential along, because it is already pinned to the URL its author intended. ca/cafile are intentionally not rescoped — they're trust anchors, not credentials, and corporate MITM-proxy setups rely on them applying globally.

  Every rescope emits a deprecation warning telling the user where the setting was pinned and how to write it directly. npm has rejected unscoped credentials outright since npm@9, and pnpm intends to remove support in a future major release. To target a specific registry, write the setting URL-scoped (e.g. //registry.example.com/:_authToken=... or //registry.example.com/:cert=...).

  @pnpm/network.auth-header: removed the defaultRegistry parameter from createGetAuthHeaderByURI and getAuthHeadersFromCreds. Now that credentials are URL-scoped at load time, the merged configByUri never contains the empty-string "default registry" placeholder slot, so re-keying it onto the merged default registry is no longer needed.

• Fix pnpm deploy crashing with ENOENT: ... lstat '<deployDir>/node_modules' when configDependencies declares pacquet (pacquet or @pnpm/pacquet). The deploy directory never installs config dependencies, so the install engine they designate isn't on disk to invoke; the nested install now skips them.

• Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.

• Limit concurrent project manifest reads while listing large workspaces to avoid EMFILE errors.

• Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.

• Improve the log message that pnpm prints after auto-adding entries to minimumReleaseAgeExclude when minimumReleaseAge is set without minimumReleaseAgeStrict. The message previously referred to the internal "loose mode" terminology, which wasn't searchable in the docs; it now tells the user to set minimumReleaseAgeStrict to true if they want these updates gated behind a prompt instead #​11747.

• Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.

• Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

• Validate devEngines.runtime and engines.runtime version ranges for node, deno, and bun when onFail is set to error or warn. Previously these settings only had an effect with onFail: 'download' — the error and warn modes silently did nothing #​11818. Violations now throw ERR_PNPM_BAD_RUNTIME_VERSION.

• Require provenance before treating trusted publisher metadata as the strongest trust evidence.

pnpm/action-setup (pnpm/action-setup)

v6.0.8

Compare Source

v6.0.7

Compare Source

v6.0.6

Compare Source

What's Changed

• fix: bin_dest output points to self-updated pnpm, not bootstrap by @​zkochan in #​249

Full Changelog: pnpm/action-setup@v6.0.5...v6.0.6

taiki-e/install-action (taiki-e/install-action)

v2.81.3: 2.81.3

Compare Source

• Update vacuum@latest to 0.28.3.

• Update uv@latest to 0.11.18.

• Update trivy@latest to 0.71.0.

v2.81.2: 2.81.2

Compare Source

• Update mise@latest to 2026.5.18.

• Update cargo-semver-checks@latest to 0.48.0.

v2.81.1: 2.81.1

Compare Source

• Update cargo-no-dev-deps@latest to 0.2.24.

• Update cargo-hack@latest to 0.6.45.

v2.81.0: 2.81.0

Compare Source

• Support convco. (#​1831, thanks @​graelo)

• Support docgarden (#​1830, thanks @​jesse-black)

• Update vacuum@latest to 0.28.0.

• Update cargo-binstall@latest to 1.19.1.

v2.80.0: 2.80.0

Compare Source

• Support kingfisher. (#​1874, thanks @​SAY-5)

v2.79.15: 2.79.15

Compare Source

• Update typos@latest to 1.47.0.

• Update wasm-tools@latest to 1.251.0.

• Update vacuum@latest to 0.27.2.

• Update uv@latest to 0.11.17.

• Update tombi@latest to 1.1.1.

• Update mise@latest to 2026.5.16.

v2.79.14: 2.79.14

Compare Source

• Update vacuum@latest to 0.27.0.

• Update cargo-deny@latest to 0.19.8.

v2.79.13: 2.79.13

Compare Source

• Update gungraun-runner@latest to 0.19.1.

• Update biome@latest to 2.4.16.

v2.79.12: 2.79.12

Compare Source

• Update prek@latest to 0.4.3.

• Remove uses of crates.io API, which potentially cases 403 error.

v2.79.11: 2.79.11

Compare Source

• Update vacuum@latest to 0.26.8.

• Update cargo-nextest@latest to 0.9.137.

v2.79.10: 2.79.10

Compare Source

• Update tombi@latest to 1.1.0.

• Update prek@latest to 0.4.2.

• Update editorconfig-checker@latest to 3.7.0.

v2.79.9: 2.79.9

Compare Source

• Update vacuum@latest to 0.26.7.

• Update tombi@latest to 1.0.0.

v2.79.8: 2.79.8

Compare Source

• Update parse-dockerfile@latest to 0.1.6.

• Update knope@latest to 0.23.0.

v2.79.7: 2.79.7

Compare Source

• Update typos@latest to 1.46.3.

• Update rclone@latest to 1.74.2.

• Update mise@latest to 2026.5.15.

• Update tombi@latest to 0.11.7.

v2.79.6: 2.79.6

Compare Source

• Update wasm-bindgen@latest to 0.2.122.

• Update mise@latest to 2026.5.14.

• Update cargo-deny@latest to 0.19.7.

• Update vacuum@latest to 0.26.6.

v2.79.5: 2.79.5

Compare Source

• Update jaq@latest to 3.0.0. (#​1861, thanks @​MusicalNinjaDad)

• Update wasmtime@latest to 45.0.0.

• Update wasm-tools@latest to 1.250.0.

• Update tombi@latest to 0.11.6.

• Update mise@latest to 2026.5.13.

v2.79.4: 2.79.4

Compare Source

• Update martin@latest to 1.10.1.

• Update prek@latest to 0.4.1.

• Update protoc@latest to 3.35.0.

• Update mdbook@latest to 0.5.3.

v2.79.3: 2.79.3

Compare Source

• Update mise@latest to 2026.5.12.

• Update martin@latest to 1.10.0.

• Update uv@latest to 0.11.15.

v2.79.2: 2.79.2

Compare Source

• Update mise@latest to 2026.5.11.

• Update vacuum@latest to 0.26.5.

• Update cargo-shear@latest to 1.12.4.

v2.79.1: 2.79.1

Compare Source

• Update tombi@latest to 0.11.5.

• Update cargo-nextest@latest to 0.9.136.

• Update typos@latest to 1.46.2.

• Update mise@latest to 2026.5.10.

v2.79.0: 2.79.0

Compare Source

• Support more host architectures. (#​1841, thanks @​Gelbpunkt)

• Deprecate mdbook-alerts because the feature now included in mdbook and the repository has been archived. (#​1844)

• Deprecate iai-callgrind-runner because it has been renamed to gungraun-runner. gungraun-runner is also supported by this action. (#​1844)

v2.78.3: 2.78.3

Compare Source

• Update zizmor@latest to 1.25.2.

• Update cargo-zigbuild@latest to 0.22.3. (#​1814, thanks @​simonhollingshead)

• Update wasm-tools@latest to 1.249.0.

• Update gungraun-runner@latest to 0.19.0.

v2.78.2: 2.78.2

Compare Source

• Update wasm-pack@latest to 0.15.0.

• Update zizmor@latest to 1.25.0.

• Update mise@latest to 2026.5.9.

• Update cargo-nextest@latest to 0.9.135.

• Update cyclonedx@latest to 0.32.0.

• Update prek@latest to 0.4.0.

v2.78.1: 2.78.1

Compare Source

• Update mise@latest to 2026.5.7.

• Diagnostic improvements.

v2.78.0: 2.78.0

Compare Source

• Support cargo-mutants. (#​1812, thanks @​jakewimmer)

• Update covgate@latest to 0.2.0.

• Update cargo-llvm-cov@latest to 0.8.7.

• Update uv@latest to 0.11.14.

• Update martin@latest to 1.9.1.

• Update tombi@latest to 0.11.4.

v2.77.7: 2.77.7

Compare Source

• Update mise@latest to 2026.5.6.

• Update cargo-deny@latest to 0.19.6.

v2.77.6: 2.77.6

Compare Source

• Fix wasm-pack installation failure.

• Update mise@latest to 2026.5.5.

• Update release-plz@latest to 0.3.158.

• Update just@latest to 1.51.0.

v2.77.5: 2.77.5

Compare Source

• Update biome@latest to 2.4.15.

• Update mise@latest to 2026.5.4.

• Update cargo-deny@latest to 0.19.5.

v2.77.4: 2.77.4

Compare Source

• Update tombi@latest to 0.11.1.

• Update cargo-llvm-cov@latest to 0.8.6.

• Update uv@latest to 0.11.12.

v2.77.3: 2.77.3

Compare Source

• Update typos@latest to 1.46.1.

• Update rclone@latest to 1.74.1.

• Update tombi@latest to 0.11.0.

• Update osv-scanner@latest to 2.3.8.

• Update mise@latest to 2026.5.3.

v2.77.2: 2.77.2

Compare Source

• Update martin@latest to 1.9.0.

• Update wasm-bindgen@latest to 0.2.121.

• Update uv@latest to 0.11.11.

• Update mise@latest to 2026.5.1.

• Update prek@latest to 0.3.13.

• Update tombi@latest to 0.10.6.

v2.77.1: 2.77.1

Compare Source

• Support taiki-e/install-action@rust tag.

• Update tombi@latest to 0.10.3.

• Update martin@latest to 1.8.2.

v2.77.0: 2.77.0

Compare Source

• Support rust. (#​1779)

  This installs rust using rustup.

  If rustup is not yet installed, this action downloads rustup-init for the current platform using HTTPS with tlsv1.2+, verifies SHA256 checksum, and then installs rustup using it.

  This also supports installing additional components at the same time by +<additional> syntax:

  - uses: taiki-e/install-action@v2
    with:
      # Install rust stable with rustfmt component and wasm32-wasip1 target.
      tool: rust+rustfmt+wasm32-wasip1
      # When installing another rust version:
      # tool: rust@nightly + rustfmt + wasm32-wasip1

• Fix issue where x86_64 binary will be installed on AArch64 Windows even when AArch64 Windows binary available.

• Update mise@latest to 2026.5.0.

• Diagnostic improvements.

v2.76.0: 2.76.0

Compare Source

• Support mdbook-d2. (#​1737, thanks @​nhu)

• Support cargo-apple-runner. (#​1731, thanks @​madsmtm)

• Support cargo-binstall on riscv64 Linux.

• Update cargo-deb@latest to 3.7.0.

• Update tombi@latest to 0.10.2.

v2.75.30: 2.75.30

Compare Source

• Support cargo-spellcheck on AArch64 Linux/Windows.

• Update cargo-spellcheck@latest to 0.15.7.

• Update biome@latest to 2.4.14.

v2.75.29: 2.75.29

Compare Source

• Update syft@latest to 1.44.0.

• Update rclone@latest to 1.74.0.

• Update osv-scanner@latest to 2.3.6.

v2.75.28: 2.75.28

Compare Source

• Update wasmtime@latest to 44.0.1.

• Update typos@latest to 1.46.0.

• Update tombi@latest to 0.10.1.

• Update sccache@latest to 0.15.0.

• Update mise@latest to 2026.4.28.

• Update gungraun-runner@latest to 0.18.2.

• Update cyclonedx@latest to 0.31.0.

v2.75.27: 2.75.27

Compare Source

• Update cargo-udeps@latest to 0.1.61.

• Update wasm-tools@latest to 1.248.0.

• Update cargo-deb@latest to 3.6.4.

v2.75.26: 2.75.26

Compare Source

• Update wasm-bindgen@latest to 0.2.120.

• Update mise@latest to 2026.4.25.

• Update martin@latest to 1.8.0.

• Update vacuum@latest to 0.26.4.

v2.75.25: 2.75.25

Compare Source

• Update uv@latest to 0.11.8.

• Update typos@latest to 1.45.2.

• Update tombi@latest to 0.9.25.

• Update mise@latest to 2026.4.24.

v2.75.24: 2.75.24

Compare Source

• Update prek@latest to 0.3.11.

• Update mise@latest to 2026.4.23.

• Update vacuum@latest to 0.26.3.

v2.75.23: 2.75.23

Compare Source

• Update vacuum@latest to 0.26.2.

• Update tombi@latest to 0.9.24.

• Update mise@latest to 2026.4.22.

• Update martin@latest to 1.7.0.

• Update git-cliff@latest to 2.13.1.

• Update cargo-tarpaulin@latest to 0.35.4.

• Update cargo-sort@latest to 2.1.4.

v2.75.22: 2.75.22

Compare Source

• Update tombi@latest to 0.9.22.

• Update biome@latest to 2.4.13.

v2.75.21: 2.75.21

Compare Source

• Update mise@latest to 2026.4.19.

• Update tombi@latest to 0.9.21.

• Update syft@latest to 1.43.0.

v2.75.20: 2.75.20

Compare Source

• Update prek@latest to 0.3.10.

• Update cargo-xwin@latest to 0.22.0.

v2.75.19: 2.75.19

Compare Source

• Update wasmtime@latest to 44.0.0.

• Update tombi@latest to 0.9.20.

• Update martin@latest to 1.6.0.

• Update just@latest to 1.50.0.

• Update mise@latest to 2026.4.18.

• Update rclone@latest to 1.73.5.

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codspeed-hq]

Merging this PR will improve performance by 4.1%

⚡ 1 improved benchmark
✅ 11 untouched benchmarks

Performance Changes

	Mode	Benchmark	BASE	HEAD	Efficiency
⚡	Memory	resolver[pnp resolve]	9.1 KB	8.7 KB	+4.1%

Tip

Curious why this is faster? Comment @codspeedbot explain why this is faster on this PR, or directly use the CodSpeed MCP with your agent.

---

_{Comparing renovate/github-actions (8ca05fe) with main (cb42e9a)}

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR updates pinned references for third‑party GitHub Actions across repository workflows and custom actions: bumps actions/setup-node to v6.4.0, pnpm/action-setup to v6.0.8 (pnpm 11.5.1), taiki-e/install-action to v2.81.3, crate-ci/typos to v1.47.1, codecov/codecov-action to v6.0.1, refreshes github/codeql-action init/analyze SHAs, updates cargo-bins/cargo-binstall pin, and updates actions/checkout pins to v6.0.3. No workflow logic or step inputs were changed.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly indicates the primary change: updating GitHub Actions dependencies. It is concise and directly related to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description provides a detailed table of updated dependencies with links, version changes, metadata, and release notes for each package, clearly relating to the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/github-actions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-plz.yml:
- Around line 29-32: The checkout action is currently persisting git credentials
for the whole job; change the two actions/checkout uses to include
persist-credentials: false, and add an explicit authentication step immediately
before the "Push tag" step (e.g., set the origin remote URL to include the
GITHUB_TOKEN or run a git auth helper using secrets.GITHUB_TOKEN or
inputs.token) so only the tag push step has credentials. Update both occurrences
of actions/checkout@... in the workflow and add a short pre-push auth step named
or placed right before the "Push tag" step to authenticate explicitly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: fb4d4ec4-fcd5-4cba-8dd0-e45a97ecd62c

📥 Commits

Reviewing files that changed from the base of the PR and between 420cb6a and 4f71b08.

📒 Files selected for processing (9)

• .github/actions/pnpm/action.yml
• .github/actions/zigbuild/action.yml
• .github/workflows/benchmark.yml
• .github/workflows/ci.yml
• .github/workflows/codecov.yml
• .github/workflows/codeql.yml
• .github/workflows/release-npm.yml
• .github/workflows/release-plz.yml
• .github/workflows/reusable-build.yml

✅ Files skipped from review due to trivial changes (3)

• .github/actions/pnpm/action.yml
• .github/workflows/reusable-build.yml
• .github/workflows/benchmark.yml

🚧 Files skipped from review as they are similar to previous changes (4)

• .github/workflows/codeql.yml
• .github/actions/zigbuild/action.yml
• .github/workflows/codecov.yml
• .github/workflows/ci.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify checkout credential persistence posture and push usage in workflows.
rg -n -C2 'uses:\s*actions/checkout@' .github/workflows
rg -n -C2 'persist-credentials:\s*false' .github/workflows
rg -n -C2 'git push|git tag' .github/workflows

Repository: rstackjs/rspack-resolver

Length of output: 1491

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,140p' .github/workflows/release-plz.yml | nl -ba

Repository: rstackjs/rspack-resolver

Length of output: 111

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Also inspect other workflow occurrences of the same pinned checkout SHA for context
rg -n "uses:\s*actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" .github/workflows -n

Repository: rstackjs/rspack-resolver

Length of output: 425

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== release-plz.yml (lines 1-120) with line numbers via cat -n ==="
cat -n .github/workflows/release-plz.yml | sed -n '1,120p'

echo "=== persist-credentials occurrences ==="
rg -n "persist-credentials" .github/workflows

Repository: rstackjs/rspack-resolver

Length of output: 2486

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Focus on the pinned checkout usage in release-plz.yml
rg -n "release-plz\.yml|actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" .github/workflows/release-plz.yml || true

# Show the exact job/steps around the checkout and push
rg -n -C3 "name: Checkout|uses:\s*actions/checkout|git tag v\$version|git push" .github/workflows/release-plz.yml

Repository: rstackjs/rspack-resolver

Length of output: 588

---

🌐 Web query:

actions/checkout persist-credentials default value v6

💡 Result:

For actions/checkout v6, the input persist-credentials has no explicit default value; it’s defined as '' (empty string) in the action metadata, with comments indicating default behavior is enabled (i.e., “Default: true”).[1][2] So, “persist-credentials default value v6” resolves to: empty-string ('') in the action.yml, which corresponds to the documented default behavior of true.[1][2] Note: the docs state that when enabled, the auth token is persisted in the local git config to allow authenticated git commands, and removed during post-job cleanup; you can opt out with persist-credentials: false.[2][3]

Citations:

• 1: https://raw.githubusercontent.com/actions/checkout/v6/action.yml
• 2: https://github.com/actions/checkout/tree/v6.0.2?tab=readme-ov-file
• 3: https://github.com/actions/checkout

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n "GITHUB_TOKEN|secrets\.GITHUB_TOKEN|persist-credentials" .github/workflows/release-plz.yml .github/workflows

Repository: rstackjs/rspack-resolver

Length of output: 50

---

Reduce checkout credential persistence in release-plz.yml (lines 29-32, 54-63).
actions/checkout@v6 defaults to persisting credentials for the whole job; this workflow doesn’t need git auth until the “Push tag” step, so set persist-credentials: false and authenticate the tag push explicitly.

Suggested hardening diff

-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
           ref: ${{ inputs.commit }}
+          persist-credentials: false
@@
       - name: Push tag
         run: |
           version=$(cargo metadata --no-deps --format-version 1 | jq -r '.packages[] | select(.name == "rspack_resolver") | .version')
           echo tagging v$version
           git config --global --add safe.directory /github/workspace
           git config --global user.name "github-actions[bot]"
           git config --global user.email "github-actions[bot]`@users.noreply.github.com`"
           git status
           git tag v$version -m v$version
-          git push origin v$version
+          git push https://x-access-token:${GITHUB_TOKEN}`@github.com/`${GITHUB_REPOSITORY}.git v$version
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 29-32: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-plz.yml around lines 29 - 32, The checkout action
is currently persisting git credentials for the whole job; change the two
actions/checkout uses to include persist-credentials: false, and add an explicit
authentication step immediately before the "Push tag" step (e.g., set the origin
remote URL to include the GITHUB_TOKEN or run a git auth helper using
secrets.GITHUB_TOKEN or inputs.token) so only the tag push step has credentials.
Update both occurrences of actions/checkout@... in the workflow and add a short
pre-push auth step named or placed right before the "Push tag" step to
authenticate explicitly.

Source: Linters/SAST tools

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-plz.yml:
- Line 29: The checkout action is pinned to the wrong SHA (uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 with a comment
claiming v6.0.3); update the pinned SHA to match the v6.0.3 tag
(9f698171ed81b15d1823a05fc7211befd50c8ae0) wherever that exact checkout string
appears (the checkout step in release-plz.yml and the same usage in
reusable-build.yml and release-npm.yml), and add persist-credentials: false to
the checkout step to avoid leaking credentials; since this workflow later does
git push origin v$version, ensure the push is explicitly authenticated (e.g.,
use an authenticated git push with GITHUB_TOKEN or a deploy key) so the release
push still works after persist-credentials: false is set.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 879e0a26-a1c5-4d01-849b-8e4724db5850

📥 Commits

Reviewing files that changed from the base of the PR and between 4f71b08 and 072ac1a.

📒 Files selected for processing (9)

• .github/actions/pnpm/action.yml
• .github/actions/zigbuild/action.yml
• .github/workflows/benchmark.yml
• .github/workflows/ci.yml
• .github/workflows/codecov.yml
• .github/workflows/codeql.yml
• .github/workflows/release-npm.yml
• .github/workflows/release-plz.yml
• .github/workflows/reusable-build.yml

✅ Files skipped from review due to trivial changes (3)

• .github/workflows/reusable-build.yml
• .github/actions/pnpm/action.yml
• .github/workflows/ci.yml

🚧 Files skipped from review as they are similar to previous changes (4)

• .github/workflows/release-npm.yml
• .github/workflows/benchmark.yml
• .github/workflows/codeql.yml
• .github/workflows/codecov.yml