fix(ci): downgrade pnpm/action-setup to v5 in dependency-audit reusable

[don-petry]

Problem

The SHA `08c4be7e` pinned in `dependency-audit-reusable.yml` is labeled `# v4` but is actually pnpm/action-setup@v6.0.0. v6 bootstraps with pnpm v11.0.0-rc.0, which cannot parse `lockfileVersion: '9.0'` lockfiles generated by pnpm v9. This causes `ERR_PNPM_BROKEN_LOCKFILE` in all repos still on pnpm v9 — confirmed breaking `broodly` main.

Fix

Pin to `pnpm/action-setup@v5.0.0` (`fc06bc1`), which installs pnpm directly via npm with no v11-rc bootstrap, restoring compatibility with pnpm v9.

Note

Upgrade to action-setup@v6 can be revisited org-wide once repos have migrated to pnpm v11.

Summary by CodeRabbit

• Chores
  • Updated development workflow tooling to the latest version.

[coderabbitai]

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 41 minutes and 50 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3b53f0b4-78d7-4c41-a149-73ca53b60fbb

📥 Commits

Reviewing files that changed from the base of the PR and between 441e040 and b98a4b6.

📒 Files selected for processing (2)

• .github/workflows/dependabot-rebase-reusable.yml
• .github/workflows/dependency-audit-reusable.yml

📝 Walkthrough

Walkthrough

Updated the pnpm/action-setup GitHub Action version from v4 to v5.0.0 in the dependency audit reusable workflow. The change affects only the action reference, with no modifications to workflow logic, conditions, or commands.

Changes

Cohort / File(s)	Summary
GitHub Actions Configuration .github/workflows/dependency-audit-reusable.yml	Updated pnpm/action-setup action from commit 08c4be7e2e672a47d11bd04269e27e5f3e8529cb (v4) to commit fc06bc1257f339d1d5d8b3a19a8cae5388b55320 (v5.0.0).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: downgrading pnpm/action-setup to v5 in the dependency-audit reusable workflow to fix compatibility with pnpm v9 lockfiles.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dependency-audit-pnpm-action-setup-v5

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR fixes a breaking CI regression in the org’s reusable dependency-audit workflow by pinning pnpm/action-setup to a compatible major version, avoiding pnpm v11-rc bootstrapping that fails on pnpm v9 lockfiles.

Changes:

• Downgrade pnpm/action-setup pin in the pnpm audit job from the (mis-labeled) v6 SHA to a v5.0.0 SHA.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Outdated review (superseded by re-review at 588b01d4cae535fe25cc23a96cfa8435ea893c33) — click to expand.

Automated review — APPROVED

Risk: LOW
Reviewed commit: 441e040f90913cdea45f0c8680dc81c90abfc18c
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

Single-line SHA pin correction in a reusable CI workflow: the old SHA was mislabeled as v4 but resolved to pnpm/action-setup@v6.0.0, which broke pnpm v9 repos; the new SHA correctly pins v5.0.0. All CI gates pass (CodeQL, SonarCloud, ShellCheck, AgentShield, Lint) with zero new issues or security hotspots. No security concerns — SHA pinning is maintained, no secrets or credentials touched.

Findings

Info

• .github/workflows/dependency-audit-reusable.yml:104 — SHA pin updated from 08c4be7e (mislabeled # v4, actually v6.0.0) to fc06bc12 (v5.0.0). Comment now accurately reflects the version. SHA pinning practice is preserved.
• CI status — All CI checks passed: CodeQL, SonarCloud (Quality Gate passed, 0 security hotspots), ShellCheck, AgentShield, Lint, Agent Security Scan. CodeRabbit approved. No unresolved review threads.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with `@don-petry` if you need a human.

[don-petry]

Outdated review (superseded by re-review at 588b01d4cae535fe25cc23a96cfa8435ea893c33) — click to expand.

Automated review — APPROVED

Risk: LOW
Reviewed commit: f8e4450357e3882b2c044073cee7cc991d779a4d
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

Single-line SHA pin correction in a reusable CI workflow: the old SHA was mislabeled as v4 but resolved to pnpm/action-setup@v6.0.0, which broke pnpm v9 repos; the new SHA correctly pins v5.0.0. SHA pinning practice is preserved and all CI gates pass (CodeQL, SonarCloud Quality Gate, CodeRabbit, Analyze). HEAD advanced only via two merge-from-main commits since prior approved review at 441e040 — no substantive diff change.

Findings

Info

• .github/workflows/dependency-audit-reusable.yml:104 — SHA pin updated from 08c4be7e (mislabeled # v4, actually resolves to pnpm/action-setup@v6.0.0) to fc06bc12 (v5.0.0). The comment now accurately reflects the pinned version. SHA-pinning security posture is fully preserved.
• CI status — All CI checks passed: CodeQL (pass), Analyze/actions (pass, 1m42s), CodeRabbit (Review completed/approved). SonarCloud Quality Gate passed with 0 new issues and 0 security hotspots. No unresolved review threads.
• Re-review note — HEAD SHA f8e4450 is two merge-from-main commits ahead of the previously-approved SHA 441e040f. Both added commits are automated Merge branch main into fix/… merges with no workflow file changes — the substantive diff is identical to what was previously approved.

CI status

All CI checks passed: CodeQL, Analyze/actions, SonarCloud Quality Gate (0 new issues, 0 security hotspots), and CodeRabbit review completed/approved.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[don-petry]

Outdated review (superseded by re-review at 588b01d4cae535fe25cc23a96cfa8435ea893c33) — click to expand.

Automated review — APPROVED

Risk: LOW
Reviewed commit: 407899adf843bd2e393900fbc6df64053537137d
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

Single-line SHA pin correction in a reusable CI workflow: the old SHA was mislabeled as v4 but resolved to pnpm/action-setup@v6.0.0, which broke pnpm v9 repos; the new SHA correctly pins v5.0.0. All CI gates pass (CodeQL SUCCESS, SonarCloud Quality Gate passed with 0 new issues and 0 security hotspots, CodeRabbit approved) and SHA-pinning security posture is fully preserved. The HEAD advanced only via an additional automated merge-from-main commit since the prior approved review at f8e4450 — no substantive diff change.

Findings

Info

• [info] .github/workflows/dependency-audit-reusable.yml:104 — SHA pin updated from 08c4be7e (mislabeled '# v4', actually pnpm/action-setup@v6.0.0-rc) to fc06bc12 (v5.0.0). Comment now accurately reflects the pinned version. SHA-pinning security practice is preserved.
• [info] CI status — All CI checks passed: CodeQL Analyze/actions (SUCCESS), CodeQL check (SUCCESS), CodeRabbit (SUCCESS/APPROVED). SonarCloud Quality Gate passed with 0 new issues and 0 security hotspots. No unresolved review threads.
• [info] Re-review — Current HEAD 407899a is one automated merge-from-main commit ahead of the previously-approved SHA f8e4450. The merge commit introduces no workflow file changes; the substantive diff is identical to what was previously approved as LOW risk.
• [info] Triage escalation — Triage escalated with signal 'triage-output-invalid' (triage tier failed, not a content-based security signal). No security concerns identified on independent deep review.

CI status

All CI checks passed: CodeQL (SUCCESS), SonarCloud Quality Gate passed with 0 new issues and 0 security hotspots, CodeRabbit (APPROVED).

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[donpetry-bot]

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

[github-actions]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[donpetry-bot]

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Agentic rebase — conflict analysis complete, manual resolution required

I analyzed the merge conflict on this PR but was unable to complete the rebase because git config, git fetch, git rebase, and git push require explicit approval in this session (the claude-rebase job's Bash(git*:*) allowedTools was not in effect — this repo's checkout had the older workflow version without that configuration).

---

Conflict identified

File: .github/workflows/dependency-audit-reusable.yml

Side	Line	SHA	Tag	Committed
Base (main)	pnpm/action-setup@91ab88e2619ed1f46221f0ba42d1492c02baf788	91ab88e	v4	2026-05-07
PR branch	pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320	fc06bc1	v5.0.0	2026-03-13

Resolution: Per the SHA-pin conflict policy, accept the side with the more recent commit date — main's v4 SHA is newer (2026-05-07 vs 2026-03-13). After rebase, the file should use main's version:

- uses: pnpm/action-setup@91ab88e2619ed1f46221f0ba42d1492c02baf788 # v4

---

Manual resolution steps

git fetch origin
git rebase origin/main
# Conflict in: .github/workflows/dependency-audit-reusable.yml
# Resolution: keep main's version (newer SHA — v4, committed 2026-05-07)
git checkout --ours -- .github/workflows/dependency-audit-reusable.yml
git add .github/workflows/dependency-audit-reusable.yml
git rebase --continue
git push --force-with-lease

[don-petry]

Auto-Rebase — Conflict Analysis

The auto-rebase workflow detected a conflict and I performed a full analysis. However, the rebase could not be completed automatically due to permission restrictions in this environment. Here is everything needed to complete the resolution manually.

---

Conflict details

File: .github/workflows/dependency-audit-reusable.yml
Line: ~104 (pnpm/action-setup pin)

Side	SHA	Label
origin/main	91ab88e2619ed1f46221f0ba42d1492c02baf788	# v4
PR branch	fc06bc1257f339d1d5d8b3a19a8cae5388b55320	# v5.0.0

Resolution: Keep the PR branch version (fc06bc1 # v5.0.0).

Reason: Both sides modified the same pnpm/action-setup pin from different starting SHAs. Per the action-pin conflict strategy, comparing tag labels as semver: v5.0.0 > v4. The PR's downgrade to v5.0.0 is intentional — the # v4 SHA on main (91ab88e2) bootstraps pnpm v11-rc, which cannot parse pnpm v9 lockfiles. The PR's v5.0.0 pin restores compatibility.

---

Manual resolution steps

git fetch origin
git checkout fix/dependency-audit-pnpm-action-setup-v5
git rebase origin/main

When the conflict appears in .github/workflows/dependency-audit-reusable.yml, resolve it by keeping the PR's version:

# Keep the PR branch's pnpm/action-setup pin (v5.0.0):
git checkout --theirs -- .github/workflows/dependency-audit-reusable.yml
git add .github/workflows/dependency-audit-reusable.yml
git rebase --continue

Then push:

git push --force-with-lease

---

The only conflict is the single pnpm/action-setup line. All other changes (e.g., actions/setup-node bump from v6.3.0 → v6.4.0) exist only on main and will be picked up automatically during the rebase with no conflict.

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-Rebase: Manual Resolution Required

The auto-rebase agent analyzed PR #152 but could not complete the rebase automatically — the git write operations (fetch, rebase, push) are blocked in this automated execution context and require manual intervention.

---

Conflict Analysis

File: .github/workflows/dependency-audit-reusable.yml

Side	SHA	Comment label	Commit date
Base (main)	91ab88e2619ed1f46221f0ba42d1492c02baf788	# v4	2026-05-07
PR branch	fc06bc1257f339d1d5d8b3a19a8cae5388b55320	# v5.0.0	2026-03-13

Note: fc06bc1 is confirmed as the actual pnpm/action-setup@v5.0.0 tag commit. 91ab88e2 is labeled # v4 but does not correspond to any v4.x release tag — it is a post-v5 commit (PR #249: "fix: bin_dest output points to self-updated pnpm, not bootstrap").

Resolution strategy (per SHA-pin rules): The base branch SHA has a newer commit date → prefer main's version (git checkout --ours).

⚠️ Important caveat: Accepting main's version reverses this PR's intentional downgrade to v5.0.0, which was introduced to fix ERR_PNPM_BROKEN_LOCKFILE on repos using pnpm v9. Before proceeding, verify that 91ab88e2 does not reintroduce pnpm v11 compatibility issues. If it does, this conflict should be resolved in favour of the PR branch instead (git checkout --theirs).

---

Manual Resolution Steps

git fetch origin
git checkout fix/dependency-audit-pnpm-action-setup-v5
git rebase origin/main
# Git will stop with a conflict in:
#   .github/workflows/dependency-audit-reusable.yml

# Option A — accept main's newer SHA (mechanical rule):
git checkout --ours -- .github/workflows/dependency-audit-reusable.yml

# Option B — keep PR's v5.0.0 pin (if pnpm v9 compatibility still matters):
git checkout --theirs -- .github/workflows/dependency-audit-reusable.yml

git add .github/workflows/dependency-audit-reusable.yml
git rebase --continue
git push --force-with-lease

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

Claude will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved.

dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention.

To resolve manually instead:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

[don-petry]

Dev-Lead — rebase (no-changes)

Agent reasoning

PR: #152
Rebased onto: main
Conflicts resolved: 1 file
- .github/workflows/dependency-audit-reusable.yml: Kept PR's pnpm/action-setup@v5.0.0 SHA (fc06bc1) over main's updated v4 SHA (0e279bb). The PR intentionally downgrades to v5 to fix pnpm v9 lockfile compatibility.
Push: success
```

[don-petry]

Dev-Lead — fix-bot-comment (applied)

Changes committed and pushed.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[don-petry]

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: b98a4b6283ad1c5d2f2fd8d0a1ab4d9f474d6443
Review mode: triage-approved (single reviewer)

Summary

Two-file CI fix in reusable workflows. The substantive change re-pins pnpm/action-setup in dependency-audit-reusable.yml from SHA 0e279bb9 (labeled # v4 but actually pointing to the sliding v6 tag — a v6 release that bootstraps pnpm v11 and breaks lockfileVersion: '9.0' lockfiles) to SHA fc06bc12 (v5.0.0), restoring compatibility with consumer repos still on pnpm v9. Second change is a trailing-blank-line removal in dependabot-rebase-reusable.yml — cosmetic. Verified the new SHA against the GitHub API: it matches the v5.0.0 annotated tag's commit object exactly, satisfying the repo's "SHAs must be looked up via the GitHub API — never guessed" rule (CLAUDE.md).

Linked issue analysis

No linked issue (closingIssuesReferences is empty). The PR body explains the motivation clearly: the existing pin was mislabeled and is breaking broodly main due to a pnpm v11 / lockfileVersion 9 incompatibility. Minor inaccuracy in the PR body — it cites the old SHA as 08c4be7e (which is v6.0.0), while the diff actually replaces 0e279bb9 (the sliding v6 tag, currently pointing at pnpm-v11.1.1 commit). The diagnosis (mispinned to v6 line) is unchanged and correct either way; not blocking.

Findings

No issues found.

• ✅ The new SHA fc06bc1257f339d1d5d8b3a19a8cae5388b55320 is verified via gh api repos/pnpm/action-setup/git/tags to be the commit object of the annotated tag v5.0.0. Comment # v5.0.0 is accurate.
• ✅ Downgrade is intentional and justified (pnpm v11 incompatibility with lockfileVersion 9); PR body notes v6 can be revisited once consumer repos migrate.
• ✅ No secrets, auth, crypto, migrations, or other HIGH-risk surfaces touched.
• ✅ AGENTS.md / CLAUDE.md SHA-pinning rule respected.
• ✅ Trailing-blank-line removal in dependabot-rebase-reusable.yml is a harmless cleanup.

CI status

All checks passed or appropriately skipped: ShellCheck, Lint, CodeQL, SonarCloud, Agent Security Scan, Secret scan (gitleaks), agent-shield/AgentShield, dev-lead/dispatch, pr-auto-review, Analyze (actions), Detect ecosystems, Quality Gate. Ecosystem audits not exercised by this PR were correctly skipped (npm/pnpm audit, govulncheck, cargo audit, pip-audit). mergeStateStatus is BLOCKED only because review is required.

---

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.