chore(deps): bump pnpm/action-setup from 4 to 6

[dependabot]

Bumps pnpm/action-setup from 4 to 6.

Release notes

Sourced from pnpm/action-setup's releases.

v6.0.0

Added support for pnpm v11.

v5.0.0

Updated the action to use Node.js 24.

v4.4.0

Updated the action to use Node.js 24.

v4.3.0

What's Changed

• docs: fix the run_install example in the Readme by @​dreyks in pnpm/action-setup#175
• chore: remove unused @types/node-fetch dependency by @​silverwind in pnpm/action-setup#186
• Clarify that package_json_file is relative to GITHUB_WORKSPACE by @​chris-martin in pnpm/action-setup#184
• feat: store caching by @​jrmajor in pnpm/action-setup#188
• refactor: remove star imports by @​KSXGitHub in pnpm/action-setup#196
• fix(ci): exclude macos by @​KSXGitHub in pnpm/action-setup#197

New Contributors

• @​dreyks made their first contribution in pnpm/action-setup#175
• @​silverwind made their first contribution in pnpm/action-setup#186
• @​chris-martin made their first contribution in pnpm/action-setup#184
• @​jrmajor made their first contribution in pnpm/action-setup#188
• @​Boosted-Bonobo made their first contribution in pnpm/action-setup#199

Full Changelog: pnpm/action-setup@v4.2.0...v4.3.0

v4.2.0

When there's a .npmrc file at the root of the repository, pnpm will be fetched from the registry that is specified in that .npmrc file #179

v4.1.0

Add support for package.yaml #156.

Commits

• 0e279bb fix: update pnpm to 11.1.1 (#248)
• 3e83581 fix: drop patchPnpmEnv so standalone+self-update works on Windows (#258)
• 551b42e docs(README): fix cache_dependency_path type (#257)
• 739bfe4 fix: self-update bootstrap to packageManager-pinned version (#233) (#256)
• f61705d chore: add CODEOWNERS
• 7a5507b fix: restore inputs from state in post (#255)
• 1155470 fix: honor devEngines.packageManager.onFail=error (#252) (#254)
• 91ab88e fix: bin_dest output points to self-updated pnpm, not bootstrap (#249)
• e578e19 fix: update pnpm to 11.0.4
• 8912a91 fix: append (not prepend) action node dir to PATH for npm bootstrap (#241)
• Additional commits viewable in compare view

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	docs-preview	9c2d95e	Commit Preview URL Branch Preview URL	May 13 2026, 01:48 PM

[jrphilo]

Ralphie verified this — ready to merge.

Verification

For a GitHub Actions uses: bump, the relevant verification is CI itself running on the new action version. Local pnpm install / pnpm build don't exercise pnpm/action-setup — it only runs inside GitHub Actions runners.

• lint: ✓ (run)
• build: ✓ (run)
• check:links: ✓ (run)

Changelog highlights

• v5.0.0: action's internal Node runtime bumped to Node.js 24 (action JS only — does not affect our project Node, which is pinned to 20 via actions/setup-node).
• v6.0.0: added support for pnpm v11. Backward-compatible with pnpm 10.
• (releases)

Investigation

Elevated scrutiny applied: multi-major bump (v4 → v6, skipping v5).

• Ownership: same maintainer (pnpm/action-setup, official pnpm org) — no change.
• Auth/secrets: none. Action takes no secret inputs in our workflow.
• Security advisory: none referenced in v5 or v6 releases.
• Deprecations: none we'd hit. Our workflow uses no inputs that were renamed/removed; pnpm version is resolved from packageManager: "pnpm@10.2.1" in package.json, which v6 still supports.
  • Verified by reading .github/workflows/ci.yml — all three jobs invoke pnpm/action-setup@v6 with no with: block, falling back to packageManager field resolution.
• Breaking API: none affecting us. v5's Node-24 internal runtime is invisible to consumers; v6's pnpm-11 support is additive.

Recommendation

Safe to merge. CI is already exercising v6 successfully across all three jobs (lint/build/links). The action's only behavioral input for us is the packageManager field, which is unchanged and still in the supported range.