fix(ci): downgrade pnpm/action-setup to v5 in dependency-audit reusable

[don-petry]

Problem

The SHA `08c4be7e` pinned in `dependency-audit-reusable.yml` is labeled `# v4` but is actually pnpm/action-setup@v6.0.0. v6 bootstraps with pnpm v11.0.0-rc.0, which cannot parse `lockfileVersion: '9.0'` lockfiles generated by pnpm v9. This causes `ERR_PNPM_BROKEN_LOCKFILE` in all repos still on pnpm v9 — confirmed breaking `broodly` main.

Fix

Pin to `pnpm/action-setup@v5.0.0` (`fc06bc1`), which installs pnpm directly via npm with no v11-rc bootstrap, restoring compatibility with pnpm v9.

Note

Upgrade to action-setup@v6 can be revisited org-wide once repos have migrated to pnpm v11.

Summary by CodeRabbit

• Chores
  • Updated development workflow tooling to the latest version.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6950ac6d-b2e3-4de8-b97b-98e8bd170e53

📥 Commits

Reviewing files that changed from the base of the PR and between ee22b42 and 441e040.

📒 Files selected for processing (1)

• .github/workflows/dependency-audit-reusable.yml

---

📝 Walkthrough

Walkthrough

Updated the pnpm/action-setup GitHub Action version from v4 to v5.0.0 in the dependency audit reusable workflow. The change affects only the action reference, with no modifications to workflow logic, conditions, or commands.

Changes

Cohort / File(s)	Summary
GitHub Actions Configuration .github/workflows/dependency-audit-reusable.yml	Updated pnpm/action-setup action from commit 08c4be7e2e672a47d11bd04269e27e5f3e8529cb (v4) to commit fc06bc1257f339d1d5d8b3a19a8cae5388b55320 (v5.0.0).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: downgrading pnpm/action-setup to v5 in the dependency-audit reusable workflow to fix compatibility with pnpm v9 lockfiles.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dependency-audit-pnpm-action-setup-v5

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

This PR fixes a breaking CI regression in the org’s reusable dependency-audit workflow by pinning pnpm/action-setup to a compatible major version, avoiding pnpm v11-rc bootstrapping that fails on pnpm v9 lockfiles.

Changes:

• Downgrade pnpm/action-setup pin in the pnpm audit job from the (mis-labeled) v6 SHA to a v5.0.0 SHA.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[don-petry]

Automated review — APPROVED

Risk: LOW
Reviewed commit: 441e040f90913cdea45f0c8680dc81c90abfc18c
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

Single-line SHA pin correction in a reusable CI workflow: the old SHA was mislabeled as v4 but resolved to pnpm/action-setup@v6.0.0, which broke pnpm v9 repos; the new SHA correctly pins v5.0.0. All CI gates pass (CodeQL, SonarCloud, ShellCheck, AgentShield, Lint) with zero new issues or security hotspots. No security concerns — SHA pinning is maintained, no secrets or credentials touched.

Findings

Info

• .github/workflows/dependency-audit-reusable.yml:104 — SHA pin updated from 08c4be7e (mislabeled # v4, actually v6.0.0) to fc06bc12 (v5.0.0). Comment now accurately reflects the version. SHA pinning practice is preserved.
• CI status — All CI checks passed: CodeQL, SonarCloud (Quality Gate passed, 0 security hotspots), ShellCheck, AgentShield, Lint, Agent Security Scan. CodeRabbit approved. No unresolved review threads.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with `@don-petry` if you need a human.