ci: update checkout action

[lachlancollins]

Summary by CodeRabbit

• Chores
  • Upgraded GitHub Actions checkout to v5.0.0 across workflows; enabled full history fetch in Autofix workflow.
  • Renamed workflows/jobs for consistency (pr → PR; test-and-publish → release).
  • Updated nx-set-shas to v4.3.3 in PR tests.
  • Bumped package manager to pnpm 10.17.0.
  • These updates improve CI consistency and maintenance with no changes to application behavior.

[coderabbitai]

Walkthrough

Updates CI configuration only: bumps actions/checkout to v5 across workflows, adds fetch-depth: 0 in autofix, updates nrwl/nx-set-shas in PR workflow, renames a workflow and a job, and upgrades packageManager in package.json to pnpm 10.17.0. No source code or exported entity changes.

Changes

Cohort / File(s)	Summary of changes
GitHub Actions workflows .github/workflows/autofix.yml, .github/workflows/pr.yml, .github/workflows/release.yml	autofix.yml: actions/checkout v4.2.2 → v5.0.0; added with: fetch-depth: 0. pr.yml: workflow name "pr" → "PR"; actions/checkout v4.2.2 → v5.0.0 (Test, Preview); nrwl/nx-set-shas v4.1.2 → v4.3.3 (Test). release.yml: job id/name test-and-publish → release; actions/checkout v4.2.2 → v5.0.0; existing fetch-depth: 0 retained.
Package management package.json	packageManager updated: pnpm@10.16.1 → pnpm@10.17.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I thump my paws at pipelines bright,
Version carrots nibbled right,
Checkout hops to v5’s light,
Pnpm fresh, a tidy bite—
CI burrows snug and tight.
Happy hops through PR night! 🥕🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "ci: update checkout action" is concise and accurately summarizes the primary change—upgrading actions/checkout to v5.0.0 across the CI workflows. It is specific to the main CI modification, clear to a reviewer scanning history, and does not contain noisy or vague wording; other minor edits (workflow/job renames and a pnpm bump) are incidental and do not make the title misleading.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update-checkout-action

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit b2902c0

Command	Status	Duration	Result
nx affected --targets=test:sherif,test:knip,tes...	✅ Succeeded	3m 11s	View ↗
nx run-many --target=build --exclude=examples/*...	✅ Succeeded	1m 28s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-09-22 02:06:06 UTC

[pkg-pr-new]

More templates

• @tanstack/query-example-angular-auto-refetching
• @tanstack/query-example-angular-basic
• @tanstack/query-example-angular-basic-persister
• @tanstack/query-example-angular-devtools-panel
• @tanstack/query-example-angular-infinite-query-with-max-pages
• @tanstack/query-example-angular-optimistic-updates
• @tanstack/query-example-angular-pagination
• @tanstack/query-example-angular-query-options-from-a-service
• @tanstack/query-example-angular-router
• @tanstack/query-example-angular-rxjs
• @tanstack/query-example-angular-simple
• @tanstack/query-example-react-algolia
• @tanstack/query-example-react-auto-refetching
• @tanstack/query-example-react-basic
• @tanstack/query-example-react-basic-graphql-request
• @tanstack/query-example-chat
• @tanstack/query-example-react-default-query-function
• @tanstack/query-example-react-devtools-panel
• @tanstack/query-example-eslint-legacy
• @tanstack/query-example-react-infinite-query-with-max-pages
• @tanstack/query-example-react-load-more-infinite-scroll
• @tanstack/query-example-react-nextjs
• @tanstack/query-example-react-nextjs-app-prefetching
• @tanstack/query-example-nextjs-suspense-streaming
• @tanstack/query-example-react-offline
• @tanstack/query-example-react-optimistic-updates-cache
• @tanstack/query-example-react-optimistic-updates-ui
• @tanstack/query-example-react-pagination
• @tanstack/query-example-react-playground
• @tanstack/query-example-react-prefetching
• @tanstack/query-example-react-react-native
• @tanstack/query-example-react-router
• @tanstack/query-example-react-rick-morty
• @tanstack/query-example-react-shadow-dom
• @tanstack/query-example-react-simple
• @tanstack/query-example-react-star-wars
• @tanstack/query-example-react-suspense
• @tanstack/query-example-solid-astro
• @tanstack/query-example-solid-basic
• @tanstack/query-example-solid-basic-graphql-request
• @tanstack/query-example-solid-default-query-function
• @tanstack/query-example-solid-simple
• @tanstack/query-example-solid-start-streaming
• @tanstack/query-example-svelte-auto-refetching
• @tanstack/query-example-svelte-basic
• @tanstack/query-example-svelte-load-more-infinite-scroll
• @tanstack/query-example-svelte-optimistic-updates
• @tanstack/query-example-svelte-playground
• @tanstack/query-example-svelte-simple
• @tanstack/query-example-svelte-ssr
• @tanstack/query-example-svelte-star-wars
• @tanstack/query-example-vue-2.6-basic
• @tanstack/query-example-vue-2.7-basic
• @tanstack/query-example-vue-basic
• @tanstack/query-example-vue-dependent-queries
• @tanstack/query-example-vue-nuxt3
• @tanstack/query-example-vue-persister
• @tanstack/query-example-vue-simple

@tanstack/angular-query-experimental

npm i https://pkg.pr.new/@tanstack/angular-query-experimental@9673

@tanstack/eslint-plugin-query

npm i https://pkg.pr.new/@tanstack/eslint-plugin-query@9673

@tanstack/query-async-storage-persister

npm i https://pkg.pr.new/@tanstack/query-async-storage-persister@9673

@tanstack/query-broadcast-client-experimental

npm i https://pkg.pr.new/@tanstack/query-broadcast-client-experimental@9673

@tanstack/query-core

npm i https://pkg.pr.new/@tanstack/query-core@9673

@tanstack/query-devtools

npm i https://pkg.pr.new/@tanstack/query-devtools@9673

@tanstack/query-persist-client-core

npm i https://pkg.pr.new/@tanstack/query-persist-client-core@9673

@tanstack/query-sync-storage-persister

npm i https://pkg.pr.new/@tanstack/query-sync-storage-persister@9673

@tanstack/react-query

npm i https://pkg.pr.new/@tanstack/react-query@9673

@tanstack/react-query-devtools

npm i https://pkg.pr.new/@tanstack/react-query-devtools@9673

@tanstack/react-query-next-experimental

npm i https://pkg.pr.new/@tanstack/react-query-next-experimental@9673

@tanstack/react-query-persist-client

npm i https://pkg.pr.new/@tanstack/react-query-persist-client@9673

@tanstack/solid-query

npm i https://pkg.pr.new/@tanstack/solid-query@9673

@tanstack/solid-query-devtools

npm i https://pkg.pr.new/@tanstack/solid-query-devtools@9673

@tanstack/solid-query-persist-client

npm i https://pkg.pr.new/@tanstack/solid-query-persist-client@9673

@tanstack/svelte-query

npm i https://pkg.pr.new/@tanstack/svelte-query@9673

@tanstack/svelte-query-devtools

npm i https://pkg.pr.new/@tanstack/svelte-query-devtools@9673

@tanstack/svelte-query-persist-client

npm i https://pkg.pr.new/@tanstack/svelte-query-persist-client@9673

@tanstack/vue-query

npm i https://pkg.pr.new/@tanstack/vue-query@9673

@tanstack/vue-query-devtools

npm i https://pkg.pr.new/@tanstack/vue-query-devtools@9673

commit: b2902c0

[github-actions]

Sizes for commit b2902c0:

Branch	Bundle Size
Main
This PR

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.38%. Comparing base (fb48985) to head (b2902c0).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #9673   +/-   ##
=======================================
  Coverage   46.38%   46.38%           
=======================================
  Files         214      214           
  Lines        8488     8488           
  Branches     1927     1924    -3     
=======================================
  Hits         3937     3937           
  Misses       4108     4108           
  Partials      443      443           

Components	Coverage Δ
@tanstack/angular-query-experimental	93.85% <ø> (ø)
@tanstack/eslint-plugin-query	83.24% <ø> (ø)
@tanstack/query-async-storage-persister	43.85% <ø> (ø)
@tanstack/query-broadcast-client-experimental	24.39% <ø> (ø)
@tanstack/query-codemods	0.00% <ø> (ø)
@tanstack/query-core	97.48% <ø> (ø)
@tanstack/query-devtools	3.48% <ø> (ø)
@tanstack/query-persist-client-core	79.60% <ø> (ø)
@tanstack/query-sync-storage-persister	84.61% <ø> (ø)
@tanstack/query-test-utils	77.77% <ø> (ø)
@tanstack/react-query	96.00% <ø> (ø)
@tanstack/react-query-devtools	10.00% <ø> (ø)
@tanstack/react-query-next-experimental	∅ <ø> (∅)
@tanstack/react-query-persist-client	100.00% <ø> (ø)
@tanstack/solid-query	78.06% <ø> (ø)
@tanstack/solid-query-devtools	∅ <ø> (∅)
@tanstack/solid-query-persist-client	100.00% <ø> (ø)
@tanstack/svelte-query	87.58% <ø> (ø)
@tanstack/svelte-query-devtools	∅ <ø> (∅)
@tanstack/svelte-query-persist-client	100.00% <ø> (ø)
@tanstack/vue-query	71.10% <ø> (ø)
@tanstack/vue-query-devtools	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.github/workflows/pr.yml (2)

25-25: Checkout v5 in Test: good; optionally drop persisted creds

Since this job doesn’t push, consider hardening by disabling persisted git creds.

-        uses: actions/checkout@v5.0.0
+        uses: actions/checkout@v5.0.0
         with:
+          persist-credentials: false
           fetch-depth: 0

---

54-54: Checkout v5 in Preview: good; optionally disable creds

Same optional hardening as Test job.

-        uses: actions/checkout@v5.0.0
+        uses: actions/checkout@v5.0.0
         with:
+          persist-credentials: false
           fetch-depth: 0

.github/workflows/release.yml (1)

30-30: Pin actions/checkout to commit SHA

Replace uses: actions/checkout@v5.0.0 in .github/workflows/release.yml (line 30) with uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fb48985 and b2902c0.

📒 Files selected for processing (4)

• .github/workflows/autofix.yml (1 hunks)
• .github/workflows/pr.yml (3 hunks)
• .github/workflows/release.yml (1 hunks)
• package.json (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-02T17:57:33.184Z

Learnt from: TkDodo
PR: TanStack/query#9612
File: packages/query-async-storage-persister/src/asyncThrottle.ts:0-0
Timestamp: 2025-09-02T17:57:33.184Z
Learning: When importing from tanstack/query-core in other TanStack Query packages like query-async-storage-persister, a workspace dependency "tanstack/query-core": "workspace:*" needs to be added to the package.json.

Applied to files:

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Test
• GitHub Check: Preview

🔇 Additional comments (7)

package.json (1)

8-8: pnpm bump looks good; ensure CI installs 10.17.0

Confirm tanstack/config setup step installs/activates pnpm 10.17.0 (via corepack or explicit install) so local and CI stay in sync.

Run to confirm in CI logs: look for “pnpm -v” after Setup Tools, or add a temporary step echoing the pnpm version.

.github/workflows/autofix.yml (2)

21-23: Upgrade to actions/checkout v5 with full history: LGTM

fetch-depth: 0 is appropriate for tooling that might need full history (e.g., formatting/app fixes).

---

21-23: Pin actions/checkout to the release commit SHA

Replace uses: actions/checkout@v5.0.0 with uses: actions/checkout@08c6903 to harden the supply chain.
File: .github/workflows/autofix.yml (lines 21–23). gh API shows v5.0.0 → 08c6903cd8c0fde910a37f88322edcfb5dd907a8; the ripgrep step failed to enumerate other workflow files — verify there are no additional uses of actions/checkout and update them if found.

.github/workflows/pr.yml (3)

33-33: nx-set-shas bump: LGTM

Inputs remain compatible; this should improve SHA detection reliability.

---

1-1: Confirm branch-protection required checks match workflow name "PR"

• Workflow name changed to "PR" in .github/workflows/pr.yml; if branch protection still expects "pr" the required check will be missing and PR checks will fail.
• I couldn't verify — gh api returned 403 (Resource not accessible by integration). Run (with a token that has repo admin):
  gh api repos///branches/main/protection/required_status_checks | jq .
  or open Settings → Branches → Branch protection rules for "main" and update the required checks to "PR" (or rename the workflow back to the expected name).

---

1-76: Verified — no actions/checkout@v4 references remain
Workflows use actions/checkout@v5.0.0: .github/workflows/pr.yml, .github/workflows/release.yml, .github/workflows/autofix.yml.

.github/workflows/release.yml (1)

24-26: Verify/update branch-protection required checks for renamed job

Renaming the job to "release" in .github/workflows/release.yml (lines 24–26) can break branch-protection rules that still expect the old job name. I couldn't verify the repo's required status checks because the GH API call returned HTTP 403 ("Resource not accessible by integration"). Confirm and update required status checks for protected branches to include "release" (or add it alongside the old name). To check (requires repo admin permissions):
gh api repos/OWNER/REPO/branches/BRANCH/protection/required_status_checks | jq .
Or use Settings → Branches → Branch protection rules in the GitHub UI.