ci(deps): bump ramsey/composer-install from 3 to 4

[dependabot]

Bumps ramsey/composer-install from 3 to 4.

Release notes

Sourced from ramsey/composer-install's releases.

4.0.0

What's Changed

• chore: Bump actions/cache from 4.2.4 to 5.0.3 by @​dependabot[bot] in ramsey/composer-install#278

  This necessitates a new major version because actions/cache v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1. This is a breaking change for anyone using self-hosted runners.

Full Changelog: ramsey/composer-install@3.2.1...4.0.0

3.2.1

What's Changed

• Fix missing cache key hash of composer.json (and composer.lock), as reported in ramsey/composer-install#277.

Full Changelog: ramsey/composer-install@3.2.0...3.2.1

3.2.0

What's Changed

• Pin cache action version by @​saibotk in ramsey/composer-install#271

New Contributors

• @​saibotk made their first contribution in ramsey/composer-install#271

Full Changelog: ramsey/composer-install@3.1.1...3.2.0

3.1.1

What's Changed

• Use the value of the COMPOSER environment variable if it exists; fixes ramsey/composer-install#264

Full Changelog: ramsey/composer-install@3.1.0...3.1.1

3.1.0

What's Changed

• ✨ Add new composer-filename option by @​badasukerubin in ramsey/composer-install#261
• Add instructions on how to use the automatic GHA token by @​Jean85 in ramsey/composer-install#263

New Contributors

• @​badasukerubin made their first contribution in ramsey/composer-install#261

Full Changelog: ramsey/composer-install@3.0.1...3.1.0

3.0.1

What's Changed

• fix: Improve composer.lock behavior with ignore-cache by @​flagbrad in ramsey/composer-install#260

New Contributors

• @​flagbrad made their first contribution in ramsey/composer-install#260

Full Changelog: ramsey/composer-install@3.0.0...3.0.1

Commits

• 2b6adcf docs: update README examples to use 4.0.0 pinned hash
• 65e4f84 docs: update badges for v4 branch
• 853e7d7 chore: Bump actions/cache from 4.2.4 to 5.0.3 (#278)
• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[claude]

Code Review - Dependabot CI dependency bump

Summary: Bumps ramsey/composer-install from v3 to v4 in rector.yaml.

Assessment: Safe to merge

Observations:

1. Single-line change in rector.yaml, low risk. Used to install Composer dependencies before running Rector.

2. Breaking change in v4 (Node.js 24): Internally upgrades actions/cache from v4 to v5, which runs on Node.js 24 and requires Actions Runner >= 2.327.1. GitHub-hosted runners meet this requirement automatically.

3. Merge conflict risk: PR 48 (stefanzweifel/git-auto-commit-action v6 → v7) also modifies rector.yaml at a different line. Dependabot will rebase automatically after either is merged.

Recommendation: Safe to merge. Coordinate with PR 48 to update both rector.yaml dependencies together.