chore(ci): bump actions/checkout from 4.3.1 to 6.0.2#83
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
lml2468
left a comment
lml2468
left a comment
There was a problem hiding this comment.
[APPROVE] Version verified against official repo tags. Dependabot SHA-pinned bump — safe to merge.
Jerry-Xin
left a comment
Jerry-Xin
left a comment
There was a problem hiding this comment.
This PR is project-relevant: it updates CI and Docker publishing workflow infrastructure for this repository, and I found no blocking issues.
✅ Highlights
🔵 actions/checkout remains pinned to an immutable commit SHA in .github/workflows/ci.yml:39, .github/workflows/ci.yml:76, and .github/workflows/docker-publish.yml:156, preserving the repository’s existing supply-chain posture.
🔵 The v6 runtime compatibility risk is low here: the affected jobs use GitHub-hosted ubuntu-latest / ubuntu-24.04-arm runners, not repository-defined self-hosted runners, and checkout’s documented Node 24 runner requirement is satisfied by current GitHub-hosted runner infrastructure. (github.com)
🔵 The credential behavior change in checkout v6 does not appear to break these workflows. The PR preflight checkout already sets persist-credentials: false at .github/workflows/ci.yml:42, and the later CI/Docker steps do not depend on authenticated Git commands after checkout.
lml2468
left a comment
lml2468
left a comment
There was a problem hiding this comment.
Cross-review (qijingchun) — No issues. Standard Dependabot SHA-pinned bump (actions/checkout v4.3.1 → v6.0.2). All 3 call sites updated consistently. Would APPROVE but same GH account constraint.
2 participants
Bumps actions/checkout from 4.3.1 to 6.0.2.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)