chore(ci): Bump pnpm/action-setup to v5 and pin to commit SHA

[mydea]

Summary

• Bump pnpm/action-setup from v4 to v5.0.0
• Pin to exact commit SHA (fc06bc1257f339d1d5d8b3a19a8cae5388b55320) instead of a mutable version tag for supply chain security

Updated in build.yml (2 occurrences) and canary.yml (1 occurrence).

Changelog (v4 → v5)

v5.0.0 — Updated the action to use Node.js 24 (resolves GHA deprecation warning for Node.js 20 actions).

v4.4.0 — Updated the action to use Node.js 24.

v4.3.0 — Store caching support, docs fixes, dependency cleanup.

v4.2.0 — Respects .npmrc registry configuration when fetching pnpm.

v4.1.0 — Added support for package.yaml.

Full changelog: pnpm/action-setup@v4.0.0...v5.0.0

Test plan

• CI passes — E2E tests use pnpm for package installation

🤖 Generated with Claude Code

[sentry]

Bug: The pinned commit SHA for pnpm/action-setup may point to v4.4.0 instead of the intended v5.0.0, which would fail to resolve the Node.js deprecation warning.
_{Severity: MEDIUM}

Suggested Fix

Verify the correct commit SHA for the pnpm/action-setup@v5.0.0 release tag directly from the official pnpm/action-setup repository. Update the workflow file to use the official v5 tag (e.g., pnpm/action-setup@v5) or the verified commit SHA for v5.0.0.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/build.yml#L925

Potential issue: The pull request updates `pnpm/action-setup` to a specific commit SHA
(`fc06bc1257f339d1d5d8b3a19a8cae5388b55320`) with the intention of upgrading to
`v5.0.0`. However, there is evidence this SHA may correspond to `v4.4.0`. If the SHA is
incorrect, the action's runtime will not be updated from Node.js v20 to v24. This means
the GitHub Actions deprecation warning for Node.js 20 will not be resolved, and the
primary goal of this change will not be met. The CI job will remain at risk of failing
when Node.js 20 is fully deprecated.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[mydea]

this is the commit tagged with v5.0.0, so should be fine.

[github-actions]

size-limit report 📦

Path	Size	% Change	Change
@sentry/browser	25.88 kB	-	-
@sentry/browser - with treeshaking flags	24.35 kB	-	-
@sentry/browser (incl. Tracing)	43.81 kB	-	-
@sentry/browser (incl. Tracing + Span Streaming)	45.5 kB	-	-
@sentry/browser (incl. Tracing, Profiling)	48.73 kB	-	-
@sentry/browser (incl. Tracing, Replay)	82.98 kB	-	-
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	72.5 kB	-	-
@sentry/browser (incl. Tracing, Replay with Canvas)	87.67 kB	-	-
@sentry/browser (incl. Tracing, Replay, Feedback)	99.93 kB	-	-
@sentry/browser (incl. Feedback)	42.7 kB	-	-
@sentry/browser (incl. sendFeedback)	30.55 kB	-	-
@sentry/browser (incl. FeedbackAsync)	35.55 kB	-	-
@sentry/browser (incl. Metrics)	27.16 kB	-	-
@sentry/browser (incl. Logs)	27.29 kB	-	-
@sentry/browser (incl. Metrics & Logs)	27.98 kB	-	-
@sentry/react	27.62 kB	-	-
@sentry/react (incl. Tracing)	46.05 kB	-	-
@sentry/vue	30.71 kB	-	-
@sentry/vue (incl. Tracing)	45.62 kB	-	-
@sentry/svelte	25.89 kB	-	-
CDN Bundle	28.57 kB	-	-
CDN Bundle (incl. Tracing)	46.08 kB	-	-
CDN Bundle (incl. Logs, Metrics)	29.95 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics)	47.12 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics)	68.92 kB	-	-
CDN Bundle (incl. Tracing, Replay)	83.14 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	84.17 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback)	88.61 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	89.69 kB	-	-
CDN Bundle - uncompressed	83.59 kB	-	-
CDN Bundle (incl. Tracing) - uncompressed	137.62 kB	-	-
CDN Bundle (incl. Logs, Metrics) - uncompressed	87.73 kB	-	-
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	141.03 kB	-	-
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	211.31 kB	-	-
CDN Bundle (incl. Tracing, Replay) - uncompressed	255.06 kB	-	-
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	258.46 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	267.97 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	271.36 kB	-	-
@sentry/nextjs (client)	48.58 kB	-	-
@sentry/sveltekit (client)	44.22 kB	-	-
@sentry/node-core	58.35 kB	+0.02%	+9 B 🔺
@sentry/node	175.66 kB	+0.01%	+13 B 🔺
@sentry/node - without tracing	98.3 kB	+0.02%	+12 B 🔺
@sentry/aws-serverless	115.33 kB	+0.01%	+11 B 🔺

View base workflow run

[nicohrubec]

we had a PR open to pin all actions to commit SHAs (ref), is this something we want to do for all actions?

[mydea]

we had a PR open to pin all actions to commit SHAs (ref), is this something we want to do for all actions?

I think it makes sense, at least for everything that is not a github-owned action (e.g. actions/cache@4 is likely fine)!

[JPeer264]

we had a PR open to pin all actions to commit SHAs (#19948), is this something we want to do for all actions?

Just to keep this in the back of our heads: https://www.vaines.org/posts/2026-03-24-the-comforting-lie-of-sha-pinning/

[mydea]

we had a PR open to pin all actions to commit SHAs (#19948), is this something we want to do for all actions?

Just to keep this in the back of our heads: https://www.vaines.org/posts/2026-03-24-the-comforting-lie-of-sha-pinning/

yes, we need to actually verify the shas for this to make sense! 😅