chore(deps): pin dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
JS-DevTools/npm-publish	action	pinDigest	→ 19c28f1
actions/setup-node	action	pinDigest	→ 49933ea
ncipollo/release-action	action	pinDigest	→ 339a818

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates GitHub Actions workflow files to pin action versions to specific commit SHAs instead of semantic version tags. In .github/workflows/release.yml, actions/setup-node@v4, JS-DevTools/npm-publish@v3, and ncipollo/release-action@v1 are replaced with pinned commit SHAs. In .github/workflows/test.yml, actions/setup-node@v4 is similarly pinned to a specific commit. The workflow logic, triggers, permissions, and configuration remain unchanged.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: pinning GitHub Actions dependencies to specific commit SHAs across the release and test workflows.
Description check	✅ Passed	The description is directly related to the changeset, providing a clear table of the three GitHub Actions being pinned with their digest updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/pin-dependencies

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/release.yml (2)

28-31: Consider cache poisoning mitigation for actions/setup-node.

The static analysis tool flags a cache-poisoning vulnerability when using cache: 'pnpm'. While this pre-dates this PR, be aware that cached dependencies could potentially be manipulated. Consider:

• Using lock file hash verification (pnpm install --frozen-lockfile)
• Implementing cache key rotation policies
• Monitoring cache integrity

This is broader operational guidance for workflow security, not a blocker for the pinning changes themselves.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 28 - 31, The workflow uses
actions/setup-node with cache: 'pnpm', which can introduce cache-poisoning risk;
update the release workflow to mitigate by ensuring pnpm installs use the
lockfile (invoke pnpm install --frozen-lockfile or equivalent in the job that
runs dependency installs), add a cache key rotation or include the lockfile hash
in the cache key to limit stale/poisoned cache reuse, and consider adding a
periodic cache purge/rotation policy and monitoring step; target the
actions/setup-node usage and the job step that runs pnpm install to implement
these changes.

Source: Linters/SAST tools

---

42-45: Consider using GitHub CLI for release creation.

The static analysis tool suggests that ncipollo/release-action functionality is already available via the pre-installed gh CLI on GitHub runners. You could replace this step with:

- name: Create GitHub Release
  run: gh release create ${{ github.ref_name }} --generate-notes
  env:
    GH_TOKEN: ${{ github.token }}

This would reduce external action dependencies and potential supply chain attack surface. Consider this for future workflow optimizations.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 42 - 45, Replace the external
action ncipollo/release-action used in the "Create GitHub Release" step with the
preinstalled GitHub CLI: remove the uses: ncipollo/release-action@... entry and
instead run gh release create with the current ref name and --generate-notes,
ensuring you set GH_TOKEN (from github.token) in the step's env; update the step
named "Create GitHub Release" to use run: gh release create ${{ github.ref_name
}} --generate-notes and add env: GH_TOKEN: ${{ github.token }} so no external
action is required.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Line 28: The pinned actions/setup-node reference `uses:
actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4` is misleading
because that SHA does not correspond to the v4 release; update the pinned SHA to
the actual commit SHA for the v4 release you intend to use (or switch to the
canonical `actions/setup-node@v4` tag) and make the inline comment match the
chosen ref; apply the same change wherever the exact string appears (e.g., in
the release and test workflow files) so the `uses:` entry and `# v4` comment are
consistent.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 28-31: The workflow uses actions/setup-node with cache: 'pnpm',
which can introduce cache-poisoning risk; update the release workflow to
mitigate by ensuring pnpm installs use the lockfile (invoke pnpm install
--frozen-lockfile or equivalent in the job that runs dependency installs), add a
cache key rotation or include the lockfile hash in the cache key to limit
stale/poisoned cache reuse, and consider adding a periodic cache purge/rotation
policy and monitoring step; target the actions/setup-node usage and the job step
that runs pnpm install to implement these changes.
- Around line 42-45: Replace the external action ncipollo/release-action used in
the "Create GitHub Release" step with the preinstalled GitHub CLI: remove the
uses: ncipollo/release-action@... entry and instead run gh release create with
the current ref name and --generate-notes, ensuring you set GH_TOKEN (from
github.token) in the step's env; update the step named "Create GitHub Release"
to use run: gh release create ${{ github.ref_name }} --generate-notes and add
env: GH_TOKEN: ${{ github.token }} so no external action is required.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: b5dcf0c4-c313-4187-b07a-8bb652866c88

📥 Commits

Reviewing files that changed from the base of the PR and between 0af7aa4 and 5c6cae3.

📒 Files selected for processing (2)

• .github/workflows/release.yml
• .github/workflows/test.yml