chore(deps): bump pnpm/action-setup from 5.0.0 to 6.0.8

[dependabot]

Bumps pnpm/action-setup from 5.0.0 to 6.0.8.

Release notes

Sourced from pnpm/action-setup's releases.

v6.0.8

What's Changed

• docs(README): fix cache_dependency_path type by @​haines in pnpm/action-setup#257
• fix: drop patchPnpmEnv so standalone+self-update works on Windows by @​zkochan in pnpm/action-setup#258
• fix: update pnpm to 11.1.1 by @​mungodewar in pnpm/action-setup#248

New Contributors

• @​mungodewar made their first contribution in pnpm/action-setup#248

Full Changelog: pnpm/action-setup@v6.0.7...v6.0.8

v6.0.7

What's Changed

• fix: honor devEngines.packageManager.onFail=error (#252) by @​zkochan in pnpm/action-setup#254
• fix: restore inputs from state in post by @​haines in pnpm/action-setup#255
• fix: self-update bootstrap to packageManager-pinned version (#233) by @​zkochan in pnpm/action-setup#256

New Contributors

• @​haines made their first contribution in pnpm/action-setup#255

Full Changelog: pnpm/action-setup@v6.0.6...v6.0.7

v6.0.6

What's Changed

• fix: bin_dest output points to self-updated pnpm, not bootstrap by @​zkochan in pnpm/action-setup#249

Full Changelog: pnpm/action-setup@v6.0.5...v6.0.6

v6.0.5

What's Changed

• fix: append (not prepend) action node dir to PATH for npm bootstrap by @​zkochan in pnpm/action-setup#241

Full Changelog: pnpm/action-setup@v6.0.4...v6.0.5

v6.0.4

What's Changed

• fix: use npm co-located with the action node binary by @​benquarmby in pnpm/action-setup#239

New Contributors

• @​benquarmby made their first contribution in pnpm/action-setup#239

Full Changelog: pnpm/action-setup@v6.0.3...v6.0.4

v6.0.3

Updated pnpm to v11.0.0-rc.5

Full Changelog: pnpm/action-setup@v6.0.2...v6.0.3

... (truncated)

Commits

• 0e279bb fix: update pnpm to 11.1.1 (#248)
• 3e83581 fix: drop patchPnpmEnv so standalone+self-update works on Windows (#258)
• 551b42e docs(README): fix cache_dependency_path type (#257)
• 739bfe4 fix: self-update bootstrap to packageManager-pinned version (#233) (#256)
• f61705d chore: add CODEOWNERS
• 7a5507b fix: restore inputs from state in post (#255)
• 1155470 fix: honor devEngines.packageManager.onFail=error (#252) (#254)
• 91ab88e fix: bin_dest output points to self-updated pnpm, not bootstrap (#249)
• e578e19 fix: update pnpm to 11.0.4
• 8912a91 fix: append (not prepend) action node dir to PATH for npm bootstrap (#241)
• Additional commits viewable in compare view

[github-actions]

Automated low-risk assessment

This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.

This PR modifies files in restricted directories that require manual review per policy.

This PR requires a manual review before merging.

[langwatch-agent]

Retracted: this comment described a workflow file and step that do not match this PR's actual diff. I am re-verifying #439 properly and will repost accurate findings. Apologies for the noise.

[langwatch-agent]

Advisory review (automated, advisory only — a human makes the final call)

TL;DR: safe to merge. pnpm/action-setup bumped to the v6.0.8 commit across four CI workflows. This changes only CI infrastructure — no Python runtime/package surface, so there is nothing to dogfood with uv; the meaningful check is workflow compatibility, which holds because every consuming step pins the pnpm version explicitly.

Impact / which code paths

The PR updates the pinned pnpm/action-setup commit SHA (fc06bc12… → 0e279bb9…) in:

• .github/workflows/javascript-ci.yml — installs javascript/ then lint/typecheck/test
• .github/workflows/javascript-publish.yml — installs + publishes the JS package
• .github/workflows/docs-ci.yml — installs docs/ then eslint/build
• .github/workflows/deploy-docs.yml — installs javascript/ + docs/ then builds/deploys Pages

I resolved the new SHA 0e279bb959325dab635dd2c09392533439d90093 via the GitHub API: it dereferences to the annotated tag v6.0.8. (The trailing # vN comments in the diff are inconsistent — two read v4, two read v6.0.8 — but all four point at the same v6.0.8 SHA.)

Risk: low (verified compatible)

The v4→v6 jump's one behavioral change is pnpm-version resolution: v5+ require the version to come from a packageManager field or the version: input, and error if neither is present. Every consuming step passes an explicit version: (javascript-ci 10.22.0, javascript-publish 10.12.1, docs-ci 10.12.1, deploy-docs 10.21.0), so v6's stricter default-resolution never triggers and each job keeps installing the exact pnpm it did before. v6 requires a Node 20+ runner, satisfied by ubuntu-latest with the configured Node 24.

Note: deploy-docs.yml deliberately pins pnpm 10.21.0 with a comment that 10.22+ makes ignored build scripts fatal under --frozen-lockfile. This PR does not touch those version pins (only the action SHA), so that intent is preserved.

What I tested

• Resolved the new pinned SHA → tag v6.0.8 via the GitHub API (annotated-tag deref).
• Inspected every consuming step across all four workflows: each sets an explicit with: version: <x>, so v6's version-resolution change does not affect them; confirmed the four pinned versions are unchanged by this PR.
• Confirmed only javascript/package.json carries a packageManager field (pnpm@10.22.0, matching its workflow's explicit pin); the repo root has none, and every workflow relies on the explicit input regardless.
• N/A: uv/runtime dogfooding — this PR changes only CI workflow actions, not any Python dependency or code path.

Recommendation

Safe to merge. Every workflow pins its pnpm version explicitly, so v6.0.8 behaves identically to the prior pins; the version pins themselves are untouched.