chore(deps): bump nanasess/setup-chromedriver from 2 to 3 in the gha-production-dependencies group

[dependabot]

Bumps the gha-production-dependencies group with 1 update: nanasess/setup-chromedriver.

Updates nanasess/setup-chromedriver from 2 to 3

Release notes

Sourced from nanasess/setup-chromedriver's releases.

v3.0.0

Highlights

v3.0.0 is a major release that rewrites the action from the ground up. The installation logic is now implemented natively in TypeScript — the legacy shell/PowerShell scripts are no longer on the execution path — and the build toolchain has been hardened against supply-chain attacks.

Native TypeScript rewrite (#446)

The Bash (setup-chromedriver.sh) and PowerShell (setup-chromedriver.ps1) installers have been replaced by a native TypeScript implementation, split into focused modules under src/installer/:

• http.ts — fetchText / fetchJson with curl-like retry/redirect handling
• download.ts — ZIP download & extraction via @actions/tool-cache
• version.ts — Chrome version detection + Chrome-for-Testing JSON resolution with fallback
• unix.ts / windows.ts — platform-specific install (legacy < 115 / modern split)

Behavioral parity is preserved: install locations (/usr/local/bin/chromedriver, C:\SeleniumWebDrivers\ChromeDriver) are unchanged, and PATH resolution via the well-known install directory continues to work without an explicit core.addPath. The legacy shell scripts are retained for one release cycle as an emergency rollback option.

Supply-chain hardening

• Migrated from yarn to pnpm (#456) — install-time build scripts are blocked by default (allowBuilds), and freshly published versions are held back by a cooldown (minimumReleaseAge).
• All external actions in CI workflows are now pinned to a full commit SHA (#450).

ESM migration (#458, #439)

• The codebase moved from CommonJS to ESM, and @actions/tool-cache was upgraded from 2.x to 4.x.

Security fixes

• Fixed a command-injection vector in Windows version detection (env-passing).
• Fixed cross-drive move failure (EXDEV) on Windows via io.cp.
• Added retry-with-backoff to downloads.
• Overrode qs to 6.15.2 to resolve a DoS advisory (#457, #444).

Testing

• Container-compatibility tests are now a permanent PR gate (#453).
• Added install/smoke tests for legacy ChromeDriver (< 115) (#454).

---

Breaking Changes

• The action is now a native TypeScript / ESM implementation. The shell/PowerShell scripts are no longer executed (kept only for one-cycle rollback).
• Build/contribution workflow now requires pnpm (corepack enable) instead of yarn.

Note: The Node 24 runtime migration shipped in v2.4.0; there is no runtime change in v3.0.0.

Migration

Update your workflow reference to @v3. SHA pinning is recommended:

... (truncated)

Commits

• e913548 Merge pull request #460 from nanasess/feature/release-v3
• 8d11586 chore: 不要な version フィールドを package.json から削除
• 38db136 Merge pull request #458 from nanasess/feature/bump-tools-cache
• 359dcf4 fix: Windows でも動く cross-platform な test スクリプトへ変更
• ba85371 Merge remote-tracking branch 'origin/master' into feature/bump-tools-cache
• 00fdb57 fix: selenium 統合テストの ESM サブパス import を修正
• f6b8cbe Merge pull request #457 from nanasess/security/qs-6.15.2
• 249deb4 style: prettier を全 TypeScript ファイルに適用
• 5daf33a build: ESM へ移行し @​actions/tool-cache を 4.x へ更新
• 23ce89d fix(security): qs を 6.15.2 へ override し DoS 脆弱性を修正
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like nanasess/setup-chromedriver is updatable in another way, so this is no longer needed.