diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json
index 705bdeb0b6..b8a317833e 100644
--- a/.github/aw/actions-lock.json
+++ b/.github/aw/actions-lock.json
@@ -75,6 +75,11 @@
       "version": "v4.8.0",
       "sha": "c1e323688fd81a25caa38c78aa6df2d33d3e20d9"
     },
+    "actions/setup-node@v6": {
+      "repo": "actions/setup-node",
+      "version": "v6",
+      "sha": "6044e13b5dc448c55e2357c09f80417699197238"
+    },
     "actions/setup-node@v6.1.0": {
       "repo": "actions/setup-node",
       "version": "v6.1.0",
diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml
index 6ac360dc3b..86e5f70f6a 100644
--- a/.github/workflows/slide-deck-maintainer.lock.yml
+++ b/.github/workflows/slide-deck-maintainer.lock.yml
@@ -116,7 +116,7 @@ jobs:
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
       - name: Setup Node.js
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
         with:
           cache: npm
           cache-dependency-path: docs/package-lock.json
diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml
index 36b50185e8..d859343685 100644
--- a/.github/workflows/tidy.lock.yml
+++ b/.github/workflows/tidy.lock.yml
@@ -143,7 +143,7 @@ jobs:
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
       - name: Setup Node.js
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
         with:
           cache: npm
           cache-dependency-path: actions/setup/js/package-lock.json
diff --git a/actions/setup/js/check_membership.cjs b/actions/setup/js/check_membership.cjs
index d5f6c8a5c9..1b5b68f2b6 100644
--- a/actions/setup/js/check_membership.cjs
+++ b/actions/setup/js/check_membership.cjs
@@ -93,7 +93,11 @@ async function main() {
     core.setOutput("is_team_member", "false");
     core.setOutput("result", "insufficient_permissions");
     core.setOutput("user_permission", result.permission);
-    core.setOutput("error_message", `Access denied: User '${actor}' is not authorized. Required permissions: ${requiredPermissions.join(", ")}`);
+    core.setOutput(
+      "error_message",
+      `Access denied: User '${actor}' is not authorized. Required permissions: ${requiredPermissions.join(", ")}. ` +
+        `To allow this user to run the workflow, add their role to the frontmatter. Example: roles: [${requiredPermissions.join(", ")}, ${result.permission}]`
+    );
   }
 }
 
diff --git a/actions/setup/js/check_membership.test.cjs b/actions/setup/js/check_membership.test.cjs
index 1518f88ddb..19e7610df2 100644
--- a/actions/setup/js/check_membership.test.cjs
+++ b/actions/setup/js/check_membership.test.cjs
@@ -221,7 +221,10 @@ describe("check_membership.cjs", () => {
       expect(mockCore.setOutput).toHaveBeenCalledWith("is_team_member", "false");
       expect(mockCore.setOutput).toHaveBeenCalledWith("result", "insufficient_permissions");
       expect(mockCore.setOutput).toHaveBeenCalledWith("user_permission", "read");
-      expect(mockCore.setOutput).toHaveBeenCalledWith("error_message", "Access denied: User 'testuser' is not authorized. Required permissions: admin, write");
+      expect(mockCore.setOutput).toHaveBeenCalledWith(
+        "error_message",
+        "Access denied: User 'testuser' is not authorized. Required permissions: admin, write. To allow this user to run the workflow, add their role to the frontmatter. Example: roles: [admin, write, read]"
+      );
     });
 
     it("should authorize user with write permission when write is in allowed list", async () => {