chore(deps): bump actions/setup-node from 4 to 5

[dependabot]

Bumps actions/setup-node from 4 to 5.

Release notes

Sourced from actions/setup-node's releases.

v5.0.0

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in actions/setup-node#1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in actions/setup-node#1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in actions/setup-node#1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in actions/setup-node#1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in actions/setup-node#1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in actions/setup-node#1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-node#1345

New Contributors

• @​priya-kinthali made their first contribution in actions/setup-node#1348
• @​salmanmkc made their first contribution in actions/setup-node#1325

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

What's Changed

Bug fixes:

• Make eslint-compact matcher compatible with Stylelint by @​FloEdelmann in actions/setup-node#98
• Add support for indented eslint output by @​fregante in actions/setup-node#1245

Enhancement:

• Support private mirrors by @​marco-ippolito in actions/setup-node#1240

Dependency update:

• Upgrade @​action/cache from 4.0.2 to 4.0.3 by @​aparnajyothi-y in actions/setup-node#1262

New Contributors

• @​FloEdelmann made their first contribution in actions/setup-node#98
• @​fregante made their first contribution in actions/setup-node#1245
• @​marco-ippolito made their first contribution in actions/setup-node#1240

Full Changelog: actions/setup-node@v4...v4.4.0

... (truncated)

Commits

• a0853c2 Bump actions/checkout from 4 to 5 (#1345)
• b7234cc Upgrade action to use node24 (#1325)
• d7a1131 Enhance caching in setup-node with automatic package manager detection (#1348)
• 5e2628c Bumps form-data (#1332)
• 65becef Bump undici from 5.28.5 to 5.29.0 (#1295)
• 7e24a65 Bump uuid from 9.0.1 to 11.1.0 (#1273)
• 08f58d1 Bump @​octokit/request-error and @​actions/github (#1227)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated documentation CI workflows: aligned Node.js setup with the latest supported action and disabled package-manager caching.
  • Added extra docs validation steps (typechecking, spellcheck, format check, and build) to the docs-check pipeline.
  • No changes to product behavior or public APIs; routine maintenance to keep pipelines reliable.

[coderabbitai]

Walkthrough

Bumps actions/setup-node from @v4 to @v5 across multiple GitHub Actions workflows, adds package-manager-cache: false to the setup inputs, and appends several run steps (yarn typecheck, yarn spellcheck, yarn format-check, yarn build) to the docs-check workflow. Node version remains 20.

Changes

Cohort / File(s)	Summary of Changes
Docs workflows: setup-node v5 + cache flag .github/workflows/docs-auto-update.yml, .../docs-deploy.yml	Updated actions/setup-node from @v4 to @v5; added package-manager-cache: false under with; kept node-version: 20; no other steps changed.
Docs check: setup-node v5 + added checks .github/workflows/docs-check.yml	Updated actions/setup-node from @v4 to @v5; added package-manager-cache: false; after yarn --immutable added yarn typecheck, yarn spellcheck, yarn format-check, yarn build.
Scripts lint: setup-node v5 + cache flag .github/workflows/scripts-lint.yml	Updated actions/setup-node from @v4 to @v5; added package-manager-cache: false; retained node-version: 20 and existing lint steps.

Sequence Diagram(s)

sequenceDiagram
  participant GH as GitHub Actions
  participant Setup as actions/setup-node@v5
  participant Corepack as corepack/yarn
  participant Yarn as yarn scripts
  Note over GH,Setup #E8F0FF: Workflow start (docs-check)
  GH->>Setup: run setup-node (node-version: 20, package-manager-cache: false)
  Setup-->>GH: node available
  GH->>Corepack: corepack enable
  Corepack-->>GH: corepack ready
  GH->>Yarn: yarn --immutable
  Yarn-->>GH: install OK
  Note over GH,Yarn #E8F8E8: New additional checks
  GH->>Yarn: yarn typecheck
  GH->>Yarn: yarn spellcheck
  GH->>Yarn: yarn format-check
  GH->>Yarn: yarn build
  Yarn-->>GH: checks complete
  Note over GH #FFF4E6: Previous flow ended after `yarn --immutable` (no additional checks)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• akaladarshi
• LesnyRumcajs

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "chore(deps): bump actions/setup-node from 4 to 5" succinctly and accurately describes the primary change in the PR (upgrading actions/setup-node from v4 to v5), follows conventional commit style, and is clear and specific enough for a teammate scanning history to understand the main intent.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dependabot/github_actions/actions/setup-node-5

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

.github/workflows/docs-check.yml (1)

34-39: Guard against unintended v5 auto-caching; explicitly set package-manager-cache.

setup-node v5 auto-enables package-manager caching when package.json has a packageManager field. Your prior config intentionally left caching off (comment referencing issue 1027). To preserve behavior and avoid surprise cache interactions, disable it explicitly.

Apply this diff:

 - uses: actions/setup-node@v5
   with:
     node-version: 20
+    package-manager-cache: false
     # See https://github.com/actions/setup-node/issues/1027
     # cache: yarn

Alternatively, if you want caching, set a scoped dependency path (example for docs):

with:
  node-version: 20
  package-manager-cache: true
  cache-dependency-path: docs/yarn.lock

Please confirm whether docs/package.json declares a packageManager field; if yes, v5 would currently auto-cache without the explicit flag. Also confirm you’re not on self-hosted runners (v5 requires runner v2.327.1+).

.github/workflows/docs-deploy.yml (1)

32-37: Disable or scope v5’s automatic package-manager cache to avoid behavior drift.

Same concern as docs-check: v5 will auto-cache if packageManager is present. Explicitly disable to match previous behavior, or scope it to docs.

 - uses: actions/setup-node@v5
   with:
     node-version: 20
+    package-manager-cache: false
 # See https://github.com/actions/setup-node/issues/1027
 # cache: yarn

If opting in to caching, prefer:

with:
  node-version: 20
  package-manager-cache: true
  cache-dependency-path: docs/yarn.lock

Confirm whether caching is desired during deploy and that it won’t affect build determinism.

.github/workflows/docs-auto-update.yml (1)

18-23: Explicitly control v5 auto-cache; this job runs at repo root and may pick the wrong lockfile.

This workflow doesn’t set a working-directory for the Yarn steps, so auto-detection may target the repo root package.json/lockfile instead of docs. Disable caching or specify the dependency path.

 - uses: actions/setup-node@v5
   with:
     node-version: 20
+    package-manager-cache: false

If enabling caching, scope it:

with:
  node-version: 20
  package-manager-cache: true
  cache-dependency-path: |
    yarn.lock
    docs/yarn.lock

Please confirm where your Yarn lockfile(s) live (root vs docs) so we can set cache-dependency-path accurately.

.github/workflows/scripts-lint.yml (1)

78-83: Prevent unintended caching in lint job or scope it to the correct lockfile.

setup-node v5 auto-caches if packageManager exists; for a lint-only job this is unnecessary and can add cache churn. Disable or scope explicitly.

 - uses: actions/setup-node@v5
   with:
     node-version: 20
+    package-manager-cache: false

If you prefer caching to speed up yarn yaml-check:

with:
  node-version: 20
  package-manager-cache: true
  cache-dependency-path: yarn.lock

Confirm whether the repository uses Yarn workspaces or multiple lockfiles; if so, list them to avoid cache key skew.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d08a2ff and 193d7b0.

📒 Files selected for processing (4)

• .github/workflows/docs-auto-update.yml (1 hunks)
• .github/workflows/docs-check.yml (1 hunks)
• .github/workflows/docs-deploy.yml (1 hunks)
• .github/workflows/scripts-lint.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: tests
• GitHub Check: cargo-publish-dry-run
• GitHub Check: tests-release
• GitHub Check: All lint checks
• GitHub Check: Build MacOS
• GitHub Check: Build Ubuntu
• GitHub Check: Build forest binaries on Linux AMD64

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/docs-check.yml (1)

33-34: Optional: consider bumping actions/checkout to v5 for consistency.

Not required for this PR, but aligning on the latest major of checkout reduces future churn across workflows.

Apply if desired:

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 193d7b0 and 65dd330.

📒 Files selected for processing (4)

• .github/workflows/docs-auto-update.yml (1 hunks)
• .github/workflows/docs-check.yml (1 hunks)
• .github/workflows/docs-deploy.yml (1 hunks)
• .github/workflows/scripts-lint.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• .github/workflows/scripts-lint.yml
• .github/workflows/docs-auto-update.yml
• .github/workflows/docs-deploy.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Build forest binaries on Linux AMD64
• GitHub Check: tests-release
• GitHub Check: tests
• GitHub Check: Build MacOS
• GitHub Check: cargo-publish-dry-run
• GitHub Check: Build Ubuntu
• GitHub Check: All lint checks
• GitHub Check: Check

🔇 Additional comments (1)

.github/workflows/docs-check.yml (1)

34-37: Approve: bump actions/setup-node@v5; package-manager-cache explicitly disabled

• No remaining actions/setup-node@v4 occurrences.
• package-manager-cache: false is set in .github/workflows/scripts-lint.yml, .github/workflows/docs-deploy.yml, .github/workflows/docs-check.yml, .github/workflows/docs-auto-update.yml; docs/package.json lists packageManager: yarn@4.9.2 — disabling auto PM cache is intentional.
• Keeping node-version: 20 in the job is fine; actions/checkout@v4 is still used widely (optional separate bump).