Bumps the repo-root `packageManager` pin to `pnpm@11.1.2`.

Only the root `package.json` `packageManager` field is changed.

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Adoption](https://docs.renovatebot.com/merge-confidence/) |
[Passing](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|---|---|
| [yaml](https://eemeli.org/yaml/)
([source](https://redirect.github.com/eemeli/yaml)) | [`2.8.4` →
`2.9.0`](https://renovatebot.com/diffs/npm/yaml/2.8.4/2.9.0) |
![age](https://developer.mend.io/api/mc/badges/age/npm/yaml/2.9.0?slim=true)
|
![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/yaml/2.9.0?slim=true)
|
![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/yaml/2.8.4/2.9.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/yaml/2.8.4/2.9.0?slim=true)
|

---

### Release Notes

<details>
<summary>eemeli/yaml (yaml)</summary>

###
[`v2.9.0`](https://redirect.github.com/eemeli/yaml/compare/v2.8.4...v2.9.0)

[Compare
Source](https://redirect.github.com/eemeli/yaml/compare/v2.8.4...v2.9.0)

</details>

---

### Configuration

📅 **Schedule**: (in timezone Asia/Shanghai)

- Branch creation
  - "before 10am on monday"
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/voidzero-dev/setup-vp).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzkuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE3OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: fengmk2 <156269+fengmk2@users.noreply.github.com>

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Adoption](https://docs.renovatebot.com/merge-confidence/) |
[Passing](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|---|---|
|
[@actions/cache](https://redirect.github.com/actions/toolkit/tree/main/packages/cache)
([source](https://redirect.github.com/actions/toolkit/tree/HEAD/packages/cache))
| [`6.0.0` →
`6.0.1`](https://renovatebot.com/diffs/npm/@actions%2fcache/6.0.0/6.0.1)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fcache/6.0.1?slim=true)
|
![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@actions%2fcache/6.0.1?slim=true)
|
![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@actions%2fcache/6.0.0/6.0.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fcache/6.0.0/6.0.1?slim=true)
|

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/cache)</summary>

###
[`v6.0.1`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/cache/RELEASES.md#601)

- Bump dependency versions
([#&#8203;2393](https://redirect.github.com/actions/toolkit/pull/2393)):
  - `@actions/core` to `^3.0.1`
  - `@actions/http-client` to `^4.0.1`
  - `@actions/io` to `^3.0.2`
  - `@azure/core-rest-pipeline` to `^1.23.0`
  - `@azure/storage-blob` to `^12.31.0`
  - `semver` to `^7.7.4`

</details>

---

### Configuration

📅 **Schedule**: (in timezone Asia/Shanghai)

- Branch creation
  - "before 10am on monday"
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/voidzero-dev/setup-vp).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: fengmk2 <156269+fengmk2@users.noreply.github.com>

## Summary

- Adds a boolean `sfw` input. When `true` and `run-install` is enabled,
the action downloads the matching
[`sfw`](https://github.com/SocketDev/sfw-free) binary from the upstream
releases (auto-detected per OS/arch, with musl support on Alpine) and
runs `sfw vp install …` so the underlying package manager's network
fetches are inspected before install.
- Default is `false` — no behavior change for existing consumers.
- `sfw` only wraps `vp install`. Other `vp` invocations (`vp env use`,
`vp --version`) stay unwrapped.

```yaml
- uses: voidzero-dev/setup-vp@v1
  with:
    sfw: true
    run-install: true
```

## Why

Lets open-source projects opt into Socket Firewall Free protection for
CI installs with a single input — no need to compose a separate
`socketdev/action@v1` step. See
https://docs.socket.dev/docs/socket-firewall-free.

## Implementation notes

- `src/install-sfw.ts` — downloads `sfw-free-<asset>` from
`releases/latest/download/`, `chmod +x` on POSIX, then `addPath`.
Mirrors the retry pattern in `install-viteplus.ts`.
- musl detection:
`process.report.getReport().header.glibcVersionRuntime` with
`fs.existsSync('/etc/alpine-release')` as a fallback. Selects
`sfw-free-musl-linux-{arm64,x86_64}` on Alpine.
- `src/run-install.ts` — execs `sfw` with `["vp", "install", …]` instead
of `vp` with `["install", …]` when `inputs.sfw` is true.

## Test plan

- [x] Unit tests: `vp run test` — 133 passed (13 new in
`install-sfw.test.ts` covering all 8 platform/arch/libc combos + error
cases; 1 new in `inputs.test.ts`).
- [x] `vp run typecheck` clean.
- [x] `vp run check:fix` clean.
- [x] `vp run build` regenerated `dist/index.mjs`.
- [ ] New `test-sfw` job (Ubuntu/macOS/Windows × latest/alpha) —
installs `is-odd` under `sfw vp install` and verifies `sfw --version`
resolves on PATH.
- [ ] New `test-sfw-alpine` job (`alpine:3.23` container) — proves the
musl asset is selected (a glibc binary would fail to exec inside
Alpine).
- [ ] All existing test jobs continue to pass with `sfw: false` default
(no behavior change).

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes the install path for opted-in workflows (external binary
download and supply-chain surface) and gates platform behavior so
macOS/Windows silently skip wrapping; CI relies on a live
malicious-package canary that could flake if delisted.
> 
> **Overview**
> Adds an optional **`sfw`** input (default `false`) so CI can run
**`sfw vp install`** instead of plain **`vp install`** when
`run-install` is enabled, wiring in Socket Firewall Free without a
separate action step.
> 
> **Docs & metadata:** `action.yml` and **README** document usage,
Linux-only behavior (macOS/Windows warn and fall back without
downloading `sfw`), Alpine/musl assets, and composing with
**`socketdev/action`** when `sfw` is already on PATH. **Renovate** gains
a regex custom manager on `src/install-sfw.ts` to bump pinned
**`SocketDev/sfw-free`** releases.
> 
> **CI:** **`test.yml`** adds jobs for Linux PM matrix + non-Linux
fallback, Alpine musl, **`lodahs`** typosquat blocking (output grep, not
exit code alone), and verifying setup-vp skips its download when
**`socketdev/action`** pre-installs `sfw`. A path-triggered
**`verify-vp-1703-sfw.yml`** workflow smoke-tests a pkg-pr-new **`vp`**
build for cross-platform **`sfw vp install`** / TLS fixes ahead of
relaxing the Linux gate.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
2161235. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

## Summary

Removes alpha-channel testing and replaces it with on-demand pkg.pr.new
verification triggered manually.

- **Dropped the `version: [latest, alpha]` matrix from every test job.**
Push / PR / merge_group runs now exercise only the latest published
Vite+ (the action's default). Jobs whose only matrix dimension was
`version` lost their `strategy:` block; jobs with other dimensions
(`os`, `node-version`, `lockfile`) kept theirs.
- **Added a `workflow_dispatch` input `pr_version`** (a PR number or
commit SHA, e.g. `1569`) for verifying an unreleased Vite+ build on
demand.

## How pkg.pr.new testing works

pkg.pr.new builds install via **`VP_PR_VERSION`** (PR number / commit
SHA), *not* the `version` input — the install script checks
`VP_PR_VERSION` before `VP_VERSION` and uses it to pull the matching
build from pkg.pr.new. The input feeds a workflow-level env var:

```yaml
env:
  VP_PR_VERSION: ${{ github.event.inputs.pr_version }}
```

Since the action spreads `...process.env` into the install, this flows
straight through and wins even though the action sets
`VP_VERSION=latest`. On every non-dispatch event the value is empty,
which the script treats as unset → latest. So **one manual dispatch
verifies a candidate build across the entire matrix** (install,
node-version, cache, exec, sfw) with no source change to the action.

## Notes

- The `build` job is pinned to latest (`VP_PR_VERSION: ""`) so a
pre-release bundler can't shift `dist/` output and fail the "dist is up
to date" diff for unrelated reasons.
- The sfw jobs now ride the dispatched version too; their stale "covers
the alpha channel" comments were updated.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Problem

Consumers running a build matrix see noisy warning annotations from
`setup-vp`'s cache save step, e.g. in
[node-modules/urllib](https://github.com/node-modules/urllib/actions/runs/26621172939):

```
! Cache save failed or was skipped.
! Failed to save: Unable to reserve cache with key vite-plus-Linux-x64-pnpm-…, another job may be creating this cache.
```

These are **harmless** — caching works correctly.

## Root cause

The cache key is `vite-plus-{OS}-{arch}-{lockfile-type}-{hash}` and
intentionally does **not** include the Node.js version (the
package-manager store is Node-version-independent, so one shared cache
per OS/arch/lockfile is correct and desirable). When a matrix runs
several Node versions per OS, those jobs compute the identical key and
race to save it in the post step. GitHub's cache backend lets only one
job reserve a given key; the losers get `cacheId === -1` from
`@actions/cache`.

That `-1` is expected and benign, but `cache-save.ts` was emitting
`warning("Cache save failed or was skipped.")` on it — and
`@actions/cache` already logs the specific reason itself, so this was
redundant noise surfaced as a warning annotation.

## Change

- Demote the `cacheId === -1` branch from `warning(...)` to `info(...)`.
- Keep the `catch` block's `warning(...)` for genuinely thrown errors —
a real, unexpected failure should still warn.
- Add `src/cache-save.test.ts` covering the reserve-race (no warning),
success, and thrown-error paths.

## Verification

- `vp test run` → 147 passed (8 files), including the new cache-save
tests
- `vp run check` → clean
- `vp run typecheck` → clean
- `vp run build` → `dist/index.mjs` rebuilt; old `"Cache save failed or
was skipped"` string gone

## Note

The companion `Failed to save: Unable to reserve cache…` message comes
from `@actions/cache` itself; v6.0.1 (already on `main`) demotes it to
`info`. Both warnings disappear for consumers once a new `v1` tag is cut
that includes this change and the v6.0.1 bump (the current `v1` predates
both).