ci: bump actions/checkout from 6.0.2 to 6.0.3#201
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bundle ReportBundle size has no change ✅ |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #201 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 16 16
Lines 531 531
Branches 138 138
=========================================
Hits 531 531 Continue to review full report in Codecov by Sentry.
|
|
@coderabbitai review |
✅ Action performedReview finished.
|
WalkthroughThis PR updates pinned ChangesCheckout Action Pin Updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/codeql.yml:
- Line 34: The inline comment after the uses line
"actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" is inaccurate;
update the comment to match the actual pinned version (change "# v6.0.0" to "#
v6.0.3") or remove the comment entirely so it no longer misrepresents the commit
SHA referenced by actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10.
In @.github/workflows/docker.yml:
- Around line 39-40: Update the Checkout step so it opts out of persisting
credentials by adding the persist-credentials: false input to the
actions/checkout invocation; locate the step with name "Checkout" and uses
"actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" and add the
persist-credentials: false property to avoid leaving GITHUB_TOKEN in the local
git config.
- Line 40: Update the stale version comments for the pinned actions/checkout SHA
df4cb1c069e1874edd31b4311f1884172cec0e10 by changing the trailing comment from
"# v6.0.0" to "# v6.0.3"; specifically update the uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 comment occurrences
(the checkout invocation shown and the other two instances noted in the review)
so the comment accurately reflects v6.0.3.
In @.github/workflows/release.yml:
- Around line 24-25: Add persist-credentials: false to both checkout steps to
avoid persisting GITHUB_TOKEN in the git config; specifically update the steps
that use actions/checkout (the one currently showing "uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" and the later
checkout step around the npm/gh release flow) by adding the persist-credentials:
false input under each checkout step so release publishing uses only the
provided GH_TOKEN and npm credentials.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: cc385420-44bf-412b-843f-c18febaa3ba0
📒 Files selected for processing (10)
.github/workflows/actions-pinned.yml.github/workflows/bundle-analysis.yml.github/workflows/codeql.yml.github/workflows/docker.yml.github/workflows/editorconfig-check.yml.github/workflows/gitleaks.yml.github/workflows/lockfile-lint.yml.github/workflows/osv-scanner.yml.github/workflows/release.yml.github/workflows/scorecard.yml
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0 |
There was a problem hiding this comment.
Update version comment to match the actual version.
The pinned commit SHA df4cb1c069e1874edd31b4311f1884172cec0e10 corresponds to actions/checkout@v6.0.3, but the inline comment still shows # v6.0.0. This mismatch can confuse maintainers during future updates.
📝 Proposed fix to correct the version comment
- - name: Checkout repository
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0
+ - name: Checkout repository
+ uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0 | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 33-34: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/codeql.yml at line 34, The inline comment after the uses
line "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" is inaccurate;
update the comment to match the actual pinned version (change "# v6.0.0" to "#
v6.0.3") or remove the comment entirely so it no longer misrepresents the commit
SHA referenced by actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10.
| - name: Checkout | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0 |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial | 💤 Low value
Optional: set persist-credentials: false on this checkout.
zizmor flags credential persistence (artipacked) here. This build job only reads the repo and never pushes, so the GITHUB_TOKEN does not need to remain in the local git config after checkout. Given the repo's supply-chain posture, opting out is a cheap hardening. Pre-existing and out of scope for the SHA bump, so treat as nice-to-have.
🔒 Optional hardening
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0 | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0 | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 39-40: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/docker.yml around lines 39 - 40, Update the Checkout step
so it opts out of persisting credentials by adding the persist-credentials:
false input to the actions/checkout invocation; locate the step with name
"Checkout" and uses "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
and add the persist-credentials: false property to avoid leaving GITHUB_TOKEN in
the local git config.
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Map relevant actions/checkout tags to their commit SHAs
gh api repos/actions/checkout/tags --paginate \
--jq '.[] | select(.name=="v6.0.0" or .name=="v6.0.2" or .name=="v6.0.3") | "\(.name)\t\(.commit.sha)"'
# What tag/commit does the pinned SHA resolve to?
echo "--- pinned SHA resolves to: ---"
gh api repos/actions/checkout/commits/df4cb1c069e1874edd31b4311f1884172cec0e10 --jq '.sha'Repository: klodr/faxdrop-mcp
Length of output: 278
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Find all pinned actions/checkout lines in workflows, including the trailing "# v..."
rg -n --hidden --no-ignore-vcs "uses:\s*actions/checkout@[0-9a-f]{40}\s*(#\s*v[0-9]+\.[0-9]+\.[0-9]+)?" .github/workflows \
|| true
# Specifically flag any cases where the v6.0.0 comment is paired with the df4cb... SHA
rg -n --hidden --no-ignore-vcs "uses:\s*actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10\s*#\s*v6\.0\.0" .github/workflows \
|| trueRepository: klodr/faxdrop-mcp
Length of output: 1806
Fix stale actions/checkout version comments for SHA df4cb1c069e1874edd31b4311f1884172cec0e10
- The pinned SHA
df4cb1c069e1874edd31b4311f1884172cec0e10corresponds toactions/checkoutv6.0.3 (not v6.0.0); the realv6.0.0tag points to1af3b93b6815bc44a9784bd300feb67ff0d1eeb3. - Update the trailing comments from
# v6.0.0to# v6.0.3in:.github/workflows/docker.yml:40.github/workflows/codeql.yml:34.github/workflows/release.yml:25and.github/workflows/release.yml:53
- This is a documentation/version-comment mismatch only; the checked-out commit is already the v6.0.3 SHA everywhere.
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 39-40: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/docker.yml at line 40, Update the stale version comments
for the pinned actions/checkout SHA df4cb1c069e1874edd31b4311f1884172cec0e10 by
changing the trailing comment from "# v6.0.0" to "# v6.0.3"; specifically update
the uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 comment
occurrences (the checkout invocation shown and the other two instances noted in
the review) so the comment accurately reflects v6.0.3.
| - name: Checkout | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0 |
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial | 💤 Low value
Optional: persist-credentials: false on both checkouts.
zizmor flags artipacked on both steps. Release builds/publishes via gh release (uses GH_TOKEN from env) and npm publish — neither relies on the git-config-persisted GITHUB_TOKEN — so opting out is safe and tightens the credential surface. Pre-existing; nice-to-have alongside the SHA bump.
Also applies to: 52-53
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 24-25: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 24 - 25, Add persist-credentials:
false to both checkout steps to avoid persisting GITHUB_TOKEN in the git config;
specifically update the steps that use actions/checkout (the one currently
showing "uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" and
the later checkout step around the npm/gh release flow) by adding the
persist-credentials: false input under each checkout step so release publishing
uses only the provided GH_TOKEN and npm credentials.
Bumps actions/checkout from 6.0.2 to 6.0.3.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
df4cb1cUpdate changelog for v6.0.3 (#2446)1cce339Fix checkout init for SHA-256 repositories (#2439)900f221fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)0c366fdUpdate changelog (#2357)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit