chore(deps): bump actions/checkout from 6.0.2 to 6.0.3#15
chore(deps): bump actions/checkout from 6.0.2 to 6.0.3#15dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
📝 WalkthroughWalkthroughThis PR updates the pinned commit hash for the ChangesCI Dependency Updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/ci.yaml (1)
24-24: ⚡ Quick winConsider adding
persist-credentials: falseto harden security posture.The checkout action currently leaves the GITHUB_TOKEN accessible in
.git/configfor subsequent workflow steps. On self-hosted runners, this increases the risk of credential leakage through artifacts, logs, or incomplete workspace cleanup.Setting
persist-credentials: falseis a security best practice unless subsequent steps explicitly require Git authentication.🔒 Proposed fix to disable credential persistence
Apply this pattern to all four checkout steps (lines 24, 42, 52, 64):
- - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + with: + persist-credentials: falseAlso applies to: 42-42, 52-52, 64-64
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yaml at line 24, Update each GitHub Actions checkout step that uses "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" to include the option persist-credentials: false (add the key under the same step where uses: actions/checkout@... is declared) for all four occurrences so the GITHUB_TOKEN is not written into .git/config on the runner; ensure you apply this to the checkout steps currently at the four occurrences referenced in the review so later steps that do need Git auth explicitly opt-in or use an explicit token.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yaml:
- Line 24: The inline comment on the pinned checkout action is incorrect: update
the comment on the checkout steps that use
"actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" (currently labeled
"# v4") to the accurate tag "# v6.0.3" (or remove the comment entirely) for all
occurrences (the checkout steps with that pinned commit hash).
---
Nitpick comments:
In @.github/workflows/ci.yaml:
- Line 24: Update each GitHub Actions checkout step that uses
"actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" to include the
option persist-credentials: false (add the key under the same step where uses:
actions/checkout@... is declared) for all four occurrences so the GITHUB_TOKEN
is not written into .git/config on the runner; ensure you apply this to the
checkout steps currently at the four occurrences referenced in the review so
later steps that do need Git auth explicitly opt-in or use an explicit token.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 59c98935-e3be-4f99-b32f-9f5efb103783
📒 Files selected for processing (1)
.github/workflows/ci.yaml
| timeout-minutes: 10 | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 | ||
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify the actual version tag for the pinned commit hash
# Check what tags point to this commit in the actions/checkout repository
gh api repos/actions/checkout/git/refs/tags \
--jq '.[] | select(.object.sha == "df4cb1c069e1874edd31b4311f1884172cec0e10" or .object.type == "tag") | .ref' \
| head -20
# Alternative: Get commit details and check associated tags
gh api repos/actions/checkout/commits/df4cb1c069e1874edd31b4311f1884172cec0e10 \
--jq '{sha: .sha, message: .commit.message, author_date: .commit.author.date}'
# Check tags containing this commit
gh api repos/actions/checkout/tags --jq '.[] | select(.commit.sha == "df4cb1c069e1874edd31b4311f1884172cec0e10") | {name: .name, commit: .commit.sha}'Repository: somethingwithproof/gitops-infrastructure-demo
Length of output: 456
Fix incorrect actions/checkout version labels in CI
The pinned actions/checkout commit df4cb1c069e1874edd31b4311f1884172cec0e10 corresponds to tag v6.0.3 (and v6), but the workflow inline comment remains # v4 on the checkout steps at lines 24/42/52/64. Update those comments to # v6.0.3 (or remove them) to keep the version labeling accurate.
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 24-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yaml at line 24, The inline comment on the pinned
checkout action is incorrect: update the comment on the checkout steps that use
"actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" (currently labeled
"# v4") to the accurate tag "# v6.0.3" (or remove the comment entirely) for all
occurrences (the checkout steps with that pinned commit hash).
|
Superseded by #16. |
dependabot
Bot
deleted the
dependabot/github_actions/actions/checkout-6.0.3
branch
Bumps actions/checkout from 6.0.2 to 6.0.3.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
df4cb1cUpdate changelog for v6.0.3 (#2446)1cce339Fix checkout init for SHA-256 repositories (#2439)900f221fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)0c366fdUpdate changelog (#2357)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit