chore(ci): bump actions/checkout from 4 to 6#28
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Jerry-Xin
left a comment
Jerry-Xin
left a comment
There was a problem hiding this comment.
The PR is in scope and safely updates this repository’s CI checkout action from v4 to v6.
✅ Highlights
.github/workflows/ci.yml:46keepspersist-credentials: falseon the PR path-filter checkout, preserving the existing safer token behavior..github/workflows/ci.yml:76,.github/workflows/ci.yml:91, and.github/workflows/ci.yml:106run onubuntu-latest; no self-hosted runner compatibility issue is introduced.- The downstream CI steps only run Go setup/build/test/vet, so the
actions/checkout@v6credential persistence change does not affect the workflow. git diff --check main...HEADpassed with no whitespace issues.
No blocking or non-blocking issues found.
lml2468
left a comment
lml2468
left a comment
There was a problem hiding this comment.
Verdict: APPROVED
Dependabot bump: actions/checkout v4 → v6.0.2. CI green (Build/Test/Vet pass).
Verification:
- SHA
de0fac2e4500dabe0009e67214ff5f5447ce83ddmatchesactions/checkout@v6.0.2tag ✅ - 4 occurrences updated consistently ✅
- Major version bump (v4→v6) with no CI regressions ✅
Non-blocking:
- First usage pins to SHA (good), but the other 3 use floating tag
@v6. Pre-existing inconsistency — not introduced by this PR. Consider pinning all to SHA in a follow-up for consistent supply chain posture.
LGTM.
lml2468
left a comment
lml2468
left a comment
There was a problem hiding this comment.
[APPROVE] — reviewer account matches PR author; flagging for a human maintainer to merge.
Bump actions/checkout v4 → v6 (skipping v5). Confirmed v6.0.2 is a real, published release. Dependabot correctly handles the mixed usage: SHA-pinned in the changes job (34e114... → de0fac... # v6.0.2) and mutable-tag in build/test/vet (@v4 → @v6). All CI passing. No blockers.
🔵 Non-blocking: the two-major-version jump (v4→v6, no v5 intermediate) is intentional — v5 and v6 were both released by GitHub; Dependabot targets latest major, which is correct.
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6
branch
2 times, most recently
from
8af44e2 to
2c14092
Compare
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6
branch
from
2c14092 to
b12e1fc
Compare
2 participants
Bumps actions/checkout from 4 to 6.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)