fix(ci): pin actions/setup-node version comment to v6.3.0

[wochinge]

Summary

• The pinned SHA for actions/setup-node resolves to tag v6.3.0, but the comment said # v6, which zizmor flags as ref-version-mismatch and fails the security workflow.
• Updates 4 call sites (3 in ci.yml, 1 in release.yml) to # v6.3.0.

Test plan

• zizmor security workflow passes on this PR
• CI jobs still run actions/setup-node as before (no behavior change — same SHA)

🤖 Generated with Claude Code

Disclaimer: Experimental PR review

Greptile Summary

This PR corrects the version comment on all four actions/setup-node usages from # v6 to # v6.3.0 to match the pinned SHA 53b83947a5a98c8d113130e565377fae1a50d02f, resolving a ref-version-mismatch finding from zizmor. No behavior changes — the SHA and workflow logic are identical.

Confidence Score: 5/5

Safe to merge — comment-only change with no behavior impact.

All four changes are purely cosmetic comment corrections that align the version tag with the pinned SHA. No logic, no dependencies, no security surface altered.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Updated 3 actions/setup-node version comments from # v6 to # v6.3.0; SHA and workflow logic unchanged.
.github/workflows/release.yml	Updated 1 actions/setup-node version comment from # v6 to # v6.3.0; SHA and workflow logic unchanged.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["zizmor lint check"] -->|"ref-version-mismatch: SHA ≠ comment tag"| B["Security workflow fails"]
    B --> C["PR fix: comment updated\n# v6 → # v6.3.0\n(SHA unchanged)"]
    C --> D["zizmor lint passes"]
    D --> E["CI & release workflows\nrun as before"]

Loading

_{Reviews (1): Last reviewed commit: "fix(ci): pin actions/setup-node version ..." | Re-trigger Greptile}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
langfuse-js	Ready	Preview	Apr 21, 2026 4:12pm

[github-actions]

@claude review

[claude]

LGTM — purely a comment fix aligning the version label with the pinned SHA, no behavioral change.

Extended reasoning...

Overview

Updates 4 inline comments from # v6 to # v6.3.0 across ci.yml and release.yml. The action SHA (53b83947a5a98c8d113130e565377fae1a50d02f) is identical in all four locations before and after — only the human-readable comment changes.

Security risks

None. The pinned SHA is unchanged, so the exact same action binary executes. The fix actually improves the security posture by making the zizmor ref-version-mismatch check pass, which enforces that comments accurately reflect the resolved tag.

Level of scrutiny

Minimal scrutiny required. This is a pure comment correction with zero runtime impact. The change is mechanical, consistent across all four call sites, and clearly motivated by the CI security linter failure.

Other factors

No bugs were reported. No outstanding reviewer comments. The diff is small, self-contained, and follows the existing pattern of pinning actions by SHA with a version comment.