Update actions/setup-node action to v5

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/setup-node	action	major	v4.4.0 -> v5.0.0

---

Release Notes

actions/setup-node (actions/setup-node)

v5.0.0

Compare Source

What's Changed

Breaking Changes

• Upgrade action to use node24 by @​salmanmkc in #​1325

Make sure your runner is updated to this version or newer to use this release. v2.327.1 Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in #​1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in #​1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in #​1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in #​1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in #​1345

Enhancement:

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in #​1348

New Contributors

• @​priya-kinthali made their first contribution in #​1348
• @​salmanmkc made their first contribution in #​1325

Full Changelog: actions/setup-node@v4...v5.0.0

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

This update bumps the GitHub Actions actions/setup-node usage from v4.4.0 to v5.0.0 in both the build and code-quality workflows, ensuring we’re on the latest supported release for node setup and caching improvements.

Walkthrough

• Chore: Upgraded actions/setup-node to v5.0.0 in build.yaml for more reliable Node environment setup.
• Chore: Updated actions/setup-node to v5.0.0 in code-quality.yaml to leverage the latest caching and performance enhancements.

_{Model: o4-mini | Prompt Tokens: 756 | Completion Tokens: 647}

[github-actions]

We’ve put together a friendly code review powered by AI that highlights potential improvements and offers insights. Treat these suggestions as ideas, not hard rules, and choose what fits your approach. Ultimately your judgment guides the process, and AI is here to lend a hand.
_{Model: o4-mini | Prompt Tokens: 2542 | Completion Tokens: 5692}

[github-actions]

Consider switching from a full commit SHA to a semantic version tag for easier maintenance and automatic patch updates. For example, instead of pinning to a specific SHA, you can use the v5 major release tag:

- uses: actions/setup-node@v5
  with:
    node-version-file: source-folder/.tool-versions
    cache: npm

[github-actions]

The two Setup Node steps are identical except for their names. You can DRY this up by using a YAML anchor or by extracting the common setup into a reusable workflow or composite action. For example, with a YAML anchor:

# Define the anchor at the top of your steps
x-setup-node: &setup-node
  uses: actions/setup-node@v5
  with:
    node-version-file: source-folder/.tool-versions
    cache: npm

# Reuse it in both steps
- name: Setup Node (PR Summary)
  <<: *setup-node

- name: Setup Node (PR Review)
  <<: *setup-node

[github-actions]

You have two Checkout source branch steps that are identical. Consider moving it to a shared set of steps or a job-level definition to avoid duplication:

jobs:
  code-quality:
    steps:
      - name: Checkout source branch
        uses: actions/checkout@v5
      # other steps...

[github-actions]

Similar to the build workflow, use a semantic version tag for actions/setup-node instead of a full SHA. This ensures you receive non-breaking updates automatically:

- name: Setup Node
  uses: actions/setup-node@v5
  with:
    node-version-file: .tool-versions
    cache: npm

[github-actions]

This update standardizes the Node.js setup across CI workflows by moving to the latest setup-node action, bumps the local Node.js version, and refreshes linting and TypeScript development dependencies for both PR tools, ensuring consistency and up-to-date tooling.

Walkthrough

• Chore: Upgraded GitHub Actions setup-node to v5.0.0 in build and code-quality workflows
• Chore: Bumped .tool-versions Node.js from 20.19.4 to 20.19.5
• Chore: Updated ESLint, @types/node, TypeScript, and related dev dependencies in pr-summary and pr-review packages

_{Model: o4-mini | Prompt Tokens: 1279 | Completion Tokens: 603 | Diff Range: bc9b2a3...9989323}

[github-actions]

Expert review powered by AI offers friendly insights into your code. These recommendations are predictions and may not be foolproof, so choose what aligns best with your approach. You control the final decisions—AI is here to support and empower your unique process.
_{Model: o4-mini | Prompt Tokens: 1271 | Completion Tokens: 3086}

[github-actions]

You’re pinning actions/setup-node to a commit SHA for v5.0.0, which prevents you from getting future non-breaking patches. It’s better to use the semver tag to automatically receive minor and patch updates while still locking major:

- uses: actions/setup-node@v5
  with:
    node-version-file: source-folder/.tool-versions
    cache: npm

[github-actions]

The “Setup Node” step is duplicated in both PR Summary and PR Review jobs. To follow the DRY principle and avoid future inconsistencies, extract it into a reusable YAML anchor or a composite action. For example:

# Top of your workflow
x-steps:
  setup-node: &setup-node
    uses: actions/setup-node@v5
    with:
      node-version-file: source-folder/.tool-versions
      cache: npm

# Then in each job
steps:
  - name: Setup Node
    <<: *setup-node

This reduces duplication and makes upgrades simpler.

[github-actions]

To make your cache invalidation more precise, leverage the cache-dependency-path input so the cache key changes when your lockfile updates. For example:

- uses: actions/setup-node@v5
  with:
    node-version-file: source-folder/.tool-versions
    cache: 'npm'
    cache-dependency-path: source-folder/package-lock.json  # ✅ ensures cache bust when deps change

[github-actions]

You’ve pinned actions/checkout to a full commit SHA. Using a semver tag (e.g. @v3) is more maintainable and still locks major versions:

- uses: actions/checkout@v3

[github-actions]

The “Checkout source branch” and “Setup Node” steps appear twice, leading to repetition. Consider using YAML anchors or a reusable workflow to DRY them:

# Define anchors at top
x-steps:
  checkout: &checkout
    name: Checkout source branch
    uses: actions/checkout@v3  # or your preferred tag

  setup-node: &setup-node
    name: Setup Node
    uses: actions/setup-node@v5
    with:
      node-version-file: .tool-versions
      cache: npm

# Then in your jobs
steps:
  - <<: *checkout
  - <<: *setup-node
  # ... other steps