Skip to content

Increase GitHub Action checkout version to v5 #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 20, 2025
Merged

Increase GitHub Action checkout version to v5 #7

merged 2 commits into from
Aug 20, 2025

Conversation

mulkieran
Copy link
Member

@mulkieran mulkieran commented Aug 20, 2025
edited by coderabbitai bot
Loading

Related stratis-storage/project#807

Summary by CodeRabbit

  • Chores
    • Updated CI workflows to use the latest checkout action (v5).
    • Disabled credential persistence in checkout steps to improve security.
    • No changes to the sequence or behavior of existing checks.

@mulkieran
Increase GitHub Action checkout version to v5
45cdbcf 
Signed-off-by: mulhern <amulhern@redhat.com>
@mulkieran mulkieran self-assigned this Aug 20, 2025
@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Aug 20, 2025
edited
Loading

Walkthrough

Updated github-modify/action.yml to use actions/checkout@v5 for three checkout steps and added persist-credentials: false to each corresponding with block. No other workflow logic or steps were changed.

Changes

Cohort / File(s) Summary of Changes
CI workflow checkout updates
github-modify/action.yml		 Bumped three instances of actions/checkout from v4 to v5; added persist-credentials: false to each checkout step’s with configuration.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

Poem

I thump a paw on the CI ground,
Checked-out v5 now hops around.
Credentials tucked, no crumbs to trace,
Our pipeline sprints at steady pace.
Ears up, I merge with quiet cheer—
A tidy tweak, the path is clear. 🐇✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@mulkieran
Set checkout actions persist-credentials value to false
569e8d9 
Signed-off-by: mulhern <amulhern@redhat.com>
@mulkieran mulkieran moved this to In Progress in 2025August Aug 20, 2025
coderabbitai[bot]
coderabbitai bot reviewed Aug 20, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (2)
github-modify/action.yml (2)

27-27: Repeat: Verify actions/checkout@v5 tag and compatibility

Same as Line 17: confirm v5 availability and any migration notes that could affect behavior under pull_request events and repository overrides.

49-49: Repeat: Upgrade to actions/checkout@v5 for default repo

Same as Line 17: verify v5 exists and behaves as expected for default branch checkout.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between db98205 and 569e8d9.

📒 Files selected for processing (1)
  • github-modify/action.yml (2 hunks)
🔇 Additional comments (4)
github-modify/action.yml (4)

22-22: persist-credentials: false is a good hardening; verify downstream git operations

This prevents the token from being stored in the repo’s local git config. Ensure callers of this composite don’t rely on implicit git auth later (e.g., fetch/push/submodule ops). If they do, they’ll need to provide explicit credentials in those steps.

32-32: Repeat: Persisting credentials disabled—double-check callers

Same as Line 22: good security posture; please confirm no caller relies on persisted auth within the checked-out directories.

54-54: Repeat: Security hardening acknowledged

Disabling credential persistence here is appropriate; verify no subsequent steps expect git auth in the local clone for stratis-storage/${{ inputs.repo }}.

17-17: actions/checkout@v5 is available – migrate and test Node.js 24

  • Verified that actions/checkout@v5 exists and is the latest major release.
  • v5’s only breaking change is the Node.js runtime bump from 20 → 24; all inputs (ref, repository, path, fetch-depth, sparse-checkout, etc.) remain unchanged.
  • No other deprecations or behavior changes noted.

Next steps:

  • In github-modify/action.yml (line 17), update to:
    uses: actions/checkout@v5
  • Run your workflows—especially any Node-dependent steps—on CI or self-hosted runners to confirm compatibility with Node.js 24.
  • (Optional) Pin to a specific commit SHA instead of @v5 for stronger supply-chain security.

@mulkieran mulkieran merged commit 671c11f into stratis-storage:master Aug 20, 2025
2 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in 2025August Aug 20, 2025
@mulkieran mulkieran deleted the issue_project_807 branch August 20, 2025 14:52
@mulkieran mulkieran moved this from Done to Done(3) in 2025August Aug 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

@mulkieran mulkieran

Labels
None yet
Projects
No open projects
2025August
Status: Done(3)
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mulkieran