chore(ci): bump actions/checkout from 4.2.2 to 6.0.2#76
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
lml2468
left a comment
lml2468
left a comment
There was a problem hiding this comment.
[APPROVE] Major version bump (v4→v6); CI passed on both jobs, confirming compatibility.
Verified
Both CI jobs (yamllint + kustomize build) ran successfully with the new SHA de0fac2e pinned at v6.0.2. Dependabot-sourced with pinned commit SHA — correct supply-chain pattern. No inputs or outputs from actions/checkout are used beyond the default checkout behavior in these workflows, so interface changes in v5/v6 are transparent here.
🔵 Note: skipping two major versions (v4→v6) is unusual. If a v5 introduced breaking changes that affect any workflow relying on actions/checkout outputs (e.g., token, ref, ssh-key), those workflows should be audited. None of the current workflows in this repo use those outputs, so this is safe here.
Jerry-Xin
left a comment
Jerry-Xin
left a comment
There was a problem hiding this comment.
This PR is in scope: it updates the project’s CI workflow dependency pin for actions/checkout, which is directly relevant to repository maintenance.
🔴 Blocking
None.
💬 Non-blocking
None.
✅ Highlights
🔵 Suggestion/Validation: The new pinned SHA in .github/workflows/ci.yml:34 and .github/workflows/ci.yml:63 matches the actions/checkout v6.0.2 tag. The workflow uses GitHub-hosted ubuntu-latest runners and does not use Docker container action scenarios after checkout, so the Node 24 and runner-version implications of checkout v5/v6 do not appear to introduce a compatibility issue here.
🔵 Suggestion/Validation: The repository already pins actions by full commit SHA with version comments, and this PR preserves that supply-chain hardening pattern.
lml2468
left a comment
lml2468
left a comment
There was a problem hiding this comment.
Review at 1e190e7
Dependabot bump: actions/checkout v4.2.2 → v6.0.2. Two sites in ci.yml.
Verification
| Check | Result |
|---|---|
| CI (9/9) | ✅ All green |
Pinned SHA de0fac2e… matches actions/checkout tag v6.0.2 |
✅ Verified via git/ref/tags/v6.0.2 |
| Both checkout sites updated consistently | ✅ |
No issues. Ship it.
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6.0.2
branch
from
1e190e7 to
0234181
Compare
2 participants
Bumps actions/checkout from 4.2.2 to 6.0.2.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)