build(deps): bump actions/checkout from 6.0.2 to 6.0.3

[dependabot]

Bumps actions/checkout from 6.0.2 to 6.0.3.

Release notes

Sourced from actions/checkout's releases.

v6.0.3

What's Changed

• Update changelog by @​ericsciple in actions/checkout#2357
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414
• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• Update changelog for v6.0.3 by @​yaananth in actions/checkout#2446

New Contributors

• @​yaananth made their first contribution in actions/checkout#2414

Full Changelog: actions/checkout@v6...v6.0.3

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in actions/checkout#2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in actions/checkout#2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in actions/checkout#2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in actions/checkout#2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in actions/checkout#2459
• upgrade module to esm and update dependencies by @​aiqiaoy in actions/checkout#2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in actions/checkout#2462

v6.0.3

• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

... (truncated)

Commits

• df4cb1c Update changelog for v6.0.3 (#2446)
• 1cce339 Fix checkout init for SHA-256 repositories (#2439)
• 900f221 fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)
• 0c366fd Update changelog (#2357)
• See full diff in compare view

[dependabot]

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[opencode-agent]

OpenCode Agent could not approve because GitHub Checks were still pending before approval.

• Result: REQUEST_CHANGES
• Reason: current-head GitHub Checks did not all complete before the bounded approval wait ended for 1d43f4b3400737100b58732770ab5b665652a8a0.
• Head SHA: 1d43f4b3400737100b58732770ab5b665652a8a0
• Workflow run: 27635732716
• Workflow attempt: 1

Pending checks:

• build-baseline/build / macos / amd64: IN_PROGRESS (https://github.com/Seongho-Bae/bandscope/actions/runs/27635733497/job/81722303534)

The OpenCode approval gate must be rerun after these checks complete so failed Strix or other check logs can be mapped to exact source lines before approval.

[opencode-agent]

OpenCode Review Overview

• Head SHA: be692dee003bb9b758a0fb6f0323297a7ddb343a
• Workflow run: 27751354853
• Workflow attempt: 1
• Gate result: APPROVE (approval step)

Pull request overview

PR updates actions/checkout from v6.0.2 to v6.0.3. This is a patch version update containing only bug fixes and security improvements. The change maintains the same Node.js runtime version (Node 20) and has no breaking changes. The workflow functionality remains unchanged.

Findings

No blocking findings from OpenCode's independent review.

Verification

• Review source: independent OpenCode review of the current checkout, focused changed hunks, and current-head GitHub Check evidence.
• Structural exploration: completed before approval; if structural exploration, changed-file inspection, or evidence completeness is missing, OpenCode must not approve.
• Result: APPROVE
• Reason: Safe dependency update with no breaking changes

Gate evidence

• Head SHA: be692dee003bb9b758a0fb6f0323297a7ddb343a
• Workflow run: 27751354853
• Workflow attempt: 1

[github-actions]

@coderabbitai review

Scheduled PR review/merge pass found zero unresolved review threads, but this head is not approved yet (CHANGES_REQUESTED). Please review this current head so the normal merge gate can decide it.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[opencode-agent]

Pull request overview

OpenCode found current-head GitHub Check failures and could not approve until they are mapped to source-backed fixes.

Findings

Line-specific fallback findings:

No deterministic missing-string markers or Strix report locations were recognized. Use the failed-check evidence below to map each failed check to exact local source lines before approving.

Verification

• Review source: independent OpenCode failed-check diagnosis using current-head check evidence.
• Result: REQUEST_CHANGES
• Reason: one or more GitHub Checks failed on current head 5a64e73a8e4cb10712cdd6c4b6bf0ec0d9628fdb.

Gate evidence

• Head SHA: 5a64e73a8e4cb10712cdd6c4b6bf0ec0d9628fdb
• Workflow run: 27735920182
• Workflow attempt: 1

Failed checks:

• security-audit/security-audit: FAILURE (https://github.com/Seongho-Bae/bandscope/actions/runs/27735920185/job/82052620132)

Failed check evidence for line-specific fixes:

Failed GitHub Check Evidence

• PR: #330
• Head SHA: 5a64e73a8e4cb10712cdd6c4b6bf0ec0d9628fdb
• Repository: Seongho-Bae/bandscope

Line-specific repair contract

• Treat the check logs and annotations below as diagnostic evidence, not as a complete review.

• For each actionable failed check, inspect the local source or diff and identify the exact file line that must change.

• OpenCode REQUEST_CHANGES findings must include path, line, root_cause, fix_direction, regression_test_direction, and suggested_diff.

• Do not request changes with only a GitHub Actions URL or a generic check name.

• When Strix logs contain multiple Vulnerability Report or Model ... Vulnerabilities ... sections, include every model-reported vulnerability in the review evidence and findings, including model name, title, severity, endpoint, and Code Locations/path:line evidence when present.

• Create one OpenCode finding per Strix model vulnerability report; do not satisfy two model reports with one combined finding, even when titles or locations match.

Failed check: security-audit/security-audit

• Type: check_run
• Conclusion: FAILURE
• Details URL: https://github.com/Seongho-Bae/bandscope/actions/runs/27735920185/job/82052620132
• Workflow run id: 27735920185
• Check run id: 82052620132

Failed job steps

• step 11: Install cargo-audit (failure)

Check annotations

• .github:38-38 [failure] Process completed with exit code 101.

Failed log signal summary

security-audit	Install cargo-audit	2026-06-18T04:04:51.1234793Z ##[error]Process completed with exit code 101.

Failed log excerpt

security-audit	Install cargo-audit	2026-06-18T04:04:50.6961949Z ##[group]Run cargo +stable install cargo-audit --locked
security-audit	Install cargo-audit	2026-06-18T04:04:50.6962389Z ^[[36;1mcargo +stable install cargo-audit --locked^[[0m
security-audit	Install cargo-audit	2026-06-18T04:04:50.6994381Z shell: /usr/bin/bash -e {0}
security-audit	Install cargo-audit	2026-06-18T04:04:50.6994642Z env:
security-audit	Install cargo-audit	2026-06-18T04:04:50.6994834Z   GIT_CONFIG_COUNT: 1
security-audit	Install cargo-audit	2026-06-18T04:04:50.6995086Z   GIT_CONFIG_KEY_0: init.defaultBranch
security-audit	Install cargo-audit	2026-06-18T04:04:50.6995406Z   GIT_CONFIG_VALUE_0: develop
security-audit	Install cargo-audit	2026-06-18T04:04:50.6995731Z   pythonLocation: /opt/hostedtoolcache/Python/3.12.13/x64
security-audit	Install cargo-audit	2026-06-18T04:04:50.6996177Z   PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib/pkgconfig
security-audit	Install cargo-audit	2026-06-18T04:04:50.6996610Z   Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
security-audit	Install cargo-audit	2026-06-18T04:04:50.6996999Z   Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
security-audit	Install cargo-audit	2026-06-18T04:04:50.6997382Z   Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.12.13/x64
security-audit	Install cargo-audit	2026-06-18T04:04:50.6997780Z   LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.12.13/x64/lib
security-audit	Install cargo-audit	2026-06-18T04:04:50.6998180Z   UV_PYTHON_INSTALL_DIR: /home/runner/work/_temp/uv-python-dir
security-audit	Install cargo-audit	2026-06-18T04:04:50.6998535Z ##[endgroup]
security-audit	Install cargo-audit	2026-06-18T04:04:50.8143403Z     Updating crates.io index
security-audit	Install cargo-audit	2026-06-18T04:04:50.8817941Z  Downloading crates ...
security-audit	Install cargo-audit	2026-06-18T04:04:50.9200671Z   Downloaded cargo-audit v0.22.2
security-audit	Install cargo-audit	2026-06-18T04:04:50.9643132Z   Installing cargo-audit v0.22.2
security-audit	Install cargo-audit	2026-06-18T04:04:50.9727969Z     Updating crates.io index
security-audit	Install cargo-audit	2026-06-18T04:04:51.1180746Z error: failed to get `arc-swap` as a dependency of package `abscissa_core v0.9.0`
security-audit	Install cargo-audit	2026-06-18T04:04:51.1182036Z     ... which satisfies dependency `abscissa_core = "^0.9"` (locked to 0.9.0) of package `cargo-audit v0.22.2`
security-audit	Install cargo-audit	2026-06-18T04:04:51.1183005Z 
security-audit	Install cargo-audit	2026-06-18T04:04:51.1183265Z Caused by:
security-audit	Install cargo-audit	2026-06-18T04:04:51.1183836Z   failed to load source for dependency `arc-swap`
security-audit	Install cargo-audit	2026-06-18T04:04:51.1184221Z 
security-audit	Install cargo-audit	2026-06-18T04:04:51.1184352Z Caused by:
security-audit	Install cargo-audit	2026-06-18T04:04:51.1184742Z   unable to update registry `crates-io`
security-audit	Install cargo-audit	2026-06-18T04:04:51.1185088Z 
security-audit	Install cargo-audit	2026-06-18T04:04:51.1185225Z Caused by:
security-audit	Install cargo-audit	2026-06-18T04:04:51.1185591Z   download of ar/c-/arc-swap failed
security-audit	Install cargo-audit	2026-06-18T04:04:51.1185901Z 
security-audit	Install cargo-audit	2026-06-18T04:04:51.1186035Z Caused by:
security-audit	Install cargo-audit	2026-06-18T04:04:51.1186336Z   curl failed
security-audit	Install cargo-audit	2026-06-18T04:04:51.1186524Z 
security-audit	Install cargo-audit	2026-06-18T04:04:51.1186650Z Caused by:
security-audit	Install cargo-audit	2026-06-18T04:04:51.1187017Z   [18] Transferred a partial file
security-audit	Install cargo-audit	2026-06-18T04:04:51.1234793Z ##[error]Process completed with exit code 101.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[opencode-agent]

Pull request overview

PR updates actions/checkout from v6.0.2 to v6.0.3. This is a patch version update containing only bug fixes and security improvements. The change maintains the same Node.js runtime version (Node 20) and has no breaking changes. The workflow functionality remains unchanged.

Findings

No blocking findings from OpenCode's independent review.

Verification

• Review source: independent OpenCode review of the current checkout, focused changed hunks, and current-head GitHub Check evidence.
• Structural exploration: completed before approval; if structural exploration, changed-file inspection, or evidence completeness is missing, OpenCode must not approve.
• Result: APPROVE
• Reason: Safe dependency update with no breaking changes

Gate evidence

• Head SHA: be692dee003bb9b758a0fb6f0323297a7ddb343a
• Workflow run: 27751354853
• Workflow attempt: 1

[seonghobae]

Merge gate evidence for current head be692dee003bb9b758a0fb6f0323297a7ddb343a:

• OpenCode Review approved current head and explicitly recorded mandatory structural exploration as completed.
• Required checks passed: CodeQL, ci / build-and-test, dependency-review, gate / build / macos, gate / build / windows, release-preflight, sbom, security-audit, trivy-fs-scan.
• Cross-platform build-baseline passed for macOS amd64/arm64 and Windows amd64/arm64.
• Review threads: 0 unresolved.
• Manual diff review: limited to .github/workflows/opencode-review.yml, updating actions/checkout from SHA-pinned v6.0.2 to SHA-pinned v6.0.3. No permissions were expanded and no runtime app code, IPC, WebView, file handling, subprocess, model, export, or user-facing behavior path changed.

Supply-chain / Security Notes:

• Third-party action remains commit-SHA pinned, matching docs/security/dependency-policy.md.
• Dependency-review, SBOM, security-audit, CodeQL, Trivy, and Scorecard workflow checks all ran on the current head; ossf-scorecard and scorecard-sarif-upload passed.
• Windows and macOS build gates remained required and passed, matching docs/security/cross-platform-build-policy.md.
• The neutral Scorecard code-scanning check is the known GitHub code-scanning integration mismatch while the Scorecard workflow and SARIF upload passed; Scorecard code-scanning will be restored immediately after merge.