Skip to content

ci: bump actions/checkout from 6.0.2 to 6.0.3 #201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ci: bump actions/checkout from 6.0.2 to 6.0.3 #201

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/actions-pinned.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/bundle-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

- name: Setup Node 22
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0

@coderabbitai coderabbitai Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update version comment to match the actual version.

The pinned commit SHA df4cb1c069e1874edd31b4311f1884172cec0e10 corresponds to actions/checkout@v6.0.3, but the inline comment still shows # v6.0.0. This mismatch can confuse maintainers during future updates.

📝 Proposed fix to correct the version comment 
-      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 33-34: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml at line 34, The inline comment after the uses
line "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" is inaccurate;
update the comment to match the actual pinned version (change "# v6.0.0" to "#
v6.0.3") or remove the comment entirely so it no longer misrepresents the commit
SHA referenced by actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10.


- name: Initialize CodeQL
uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/docker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0
Comment on lines 39 to +40

@coderabbitai coderabbitai Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Optional: set persist-credentials: false on this checkout.

zizmor flags credential persistence (artipacked) here. This build job only reads the repo and never pushes, so the GITHUB_TOKEN does not need to remain in the local git config after checkout. Given the repo's supply-chain posture, opting out is a cheap hardening. Pre-existing and out of scope for the SHA bump, so treat as nice-to-have.

🔒 Optional hardening 
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 39-40: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker.yml around lines 39 - 40, Update the Checkout step
so it opts out of persisting credentials by adding the persist-credentials:
false input to the actions/checkout invocation; locate the step with name
"Checkout" and uses "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
and add the persist-credentials: false property to avoid leaving GITHUB_TOKEN in
the local git config.

@coderabbitai coderabbitai Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Map relevant actions/checkout tags to their commit SHAs
gh api repos/actions/checkout/tags --paginate \
  --jq '.[] | select(.name=="v6.0.0" or .name=="v6.0.2" or .name=="v6.0.3") | "\(.name)\t\(.commit.sha)"'

# What tag/commit does the pinned SHA resolve to?
echo "--- pinned SHA resolves to: ---"
gh api repos/actions/checkout/commits/df4cb1c069e1874edd31b4311f1884172cec0e10 --jq '.sha'

Repository: klodr/faxdrop-mcp

Length of output: 278

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find all pinned actions/checkout lines in workflows, including the trailing "# v..."
rg -n --hidden --no-ignore-vcs "uses:\s*actions/checkout@[0-9a-f]{40}\s*(#\s*v[0-9]+\.[0-9]+\.[0-9]+)?" .github/workflows \
  || true

# Specifically flag any cases where the v6.0.0 comment is paired with the df4cb... SHA
rg -n --hidden --no-ignore-vcs "uses:\s*actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10\s*#\s*v6\.0\.0" .github/workflows \
  || true

Repository: klodr/faxdrop-mcp

Length of output: 1806

Fix stale actions/checkout version comments for SHA df4cb1c069e1874edd31b4311f1884172cec0e10

  • The pinned SHA df4cb1c069e1874edd31b4311f1884172cec0e10 corresponds to actions/checkout v6.0.3 (not v6.0.0); the real v6.0.0 tag points to 1af3b93b6815bc44a9784bd300feb67ff0d1eeb3.
  • Update the trailing comments from # v6.0.0 to # v6.0.3 in:
    • .github/workflows/docker.yml:40
    • .github/workflows/codeql.yml:34
    • .github/workflows/release.yml:25 and .github/workflows/release.yml:53
  • This is a documentation/version-comment mismatch only; the checked-out commit is already the v6.0.3 SHA everywhere.
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 39-40: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker.yml at line 40, Update the stale version comments
for the pinned actions/checkout SHA df4cb1c069e1874edd31b4311f1884172cec0e10 by
changing the trailing comment from "# v6.0.0" to "# v6.0.3"; specifically update
the uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 comment
occurrences (the checkout invocation shown and the other two instances noted in
the review) so the comment accurately reflects v6.0.3.


- name: Read package version
id: pkg
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/editorconfig-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

- name: Install editorconfig-checker
# The action only adds the binary to PATH — it does not run it.
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/gitleaks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
# Full history needed so gitleaks can audit every commit on
# PR branches, not just the head.
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lockfile-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

- name: Setup Node 22
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/osv-scanner.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

- name: Install OSV-Scanner CLI (pinned binary, sha256-verified)
# Pinned to v2.3.6. The SHA256 below is the upstream-published
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0
Comment on lines 24 to +25

@coderabbitai coderabbitai Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Optional: persist-credentials: false on both checkouts.

zizmor flags artipacked on both steps. Release builds/publishes via gh release (uses GH_TOKEN from env) and npm publish — neither relies on the git-config-persisted GITHUB_TOKEN — so opting out is safe and tightens the credential surface. Pre-existing; nice-to-have alongside the SHA bump.

Also applies to: 52-53

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 24-25: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 24 - 25, Add persist-credentials:
false to both checkout steps to avoid persisting GITHUB_TOKEN in the git config;
specifically update the steps that use actions/checkout (the one currently
showing "uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" and
the later checkout step around the npm/gh release flow) by adding the
persist-credentials: false input under each checkout step so release publishing
uses only the provided GH_TOKEN and npm credentials.


- name: Setup Node 22
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
Expand Down Expand Up @@ -50,7 +50,7 @@ jobs:
attestations: write # actions/attest-build-provenance writes to the attestation API
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.0

- name: Setup Node 22
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

Expand Down
Loading