chore: use pnpm setup runtime action

[marandaneto]

💡 Motivation and Context

Simplify CI setup by replacing the separate pnpm/action-setup + actions/setup-node + pnpm cache wiring with the new pinned pnpm/setup action, which installs pnpm and the Node.js runtime in one step.

This also adds/keeps package-manager release-age gates at a total of 7 days:

• npm .npmrc: min-release-age=7 because npm uses days.
• pnpm minimumReleaseAge: 10080 because pnpm uses minutes.

Note: pnpm/setup does not currently read .nvmrc, so Node 24 is duplicated in the action config for now where the repo also has .nvmrc. Once jasongin/nvs#315 lands, we can remove that duplicated runtime version and go back to a single .nvmrc source of truth.

💚 How did you test it?

• Parsed the changed GitHub Actions / pnpm YAML with PyYAML.
• Checked .npmrc files use npm's day-based min-release-age=7 and pnpm files use minute-based minimumReleaseAge: 10080.
• Ran git diff --check.

📝 Checklist

• I reviewed the submitted code.
• I added tests to verify the changes.
• I updated the docs if needed.
• No breaking change or entry added to the changelog.

If releasing new changes

• Ran pnpm changeset to generate a changeset file

🤖 Agent context

Autonomy: Human-driven (agent-assisted)

Updated the CI setup at the user's request after checking the new pnpm/setup action behavior. Chose install: false so existing explicit pnpm install --frozen-lockfile commands keep their current lockfile behavior, and pinned the action to the current v1 commit SHA.

[greptile-apps]

_{Reviews (1): Last reviewed commit: "chore: use pnpm setup runtime action" | Re-trigger Greptile}

[greptile-apps]

Security Review

• Unverified action provenance (.github/workflows/release.yml line 98): pnpm/setup is not the documented official pnpm GitHub Action (pnpm/action-setup is). The version-bump job has contents: write and access to the GitHub App releaser token, making supply-chain provenance of this action critical to verify before merging.

_{Reviews (2): Last reviewed commit: "fix: use pnpm 11 package manager" | Re-trigger Greptile}

[greptile-apps]

Unverified action origin — pnpm/setup vs pnpm/action-setup

The official pnpm action is pnpm/action-setup (documented at pnpm.io and on the GitHub Marketplace). pnpm/setup does not appear in pnpm's official documentation or Marketplace listing. Can you confirm this action lives at github.com/pnpm/setup under the pnpm org and is the intended replacement? This job has contents: write and access to the GitHub App token for pushing to main, so verifying the SHA resolves to a legitimate pnpm-owned repository is important before merging.