build(deps): bump actions/checkout from 4.3.1 to 6.0.2#21
build(deps): bump actions/checkout from 4.3.1 to 6.0.2#21dependabot[bot] wants to merge 1 commit intomasterfrom
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This PR cannot be merged as it attempts to update the 'actions/checkout' action to a non-existent version (6.0.2). The current latest stable major version is v4. Referencing an invalid version will cause all modified workflows to fail. Additionally, the intent to move to a (theoretical) v6 involves a major change in credential persistence—moving from the local git config to $RUNNER_TEMP—which requires a minimum GitHub Runner version of 2.329.0 and may break downstream steps relying on standard git configuration.
About this PR
- Major version upgrades for actions/checkout (v4+) change how credentials are persisted, moving them to $RUNNER_TEMP instead of the local git config. This requires a minimum runner version of v2.329.0. Ensure your environment meets this requirement and that no downstream steps depend on credentials being in the git config.
Test suggestions
- Verify successful repository checkout in the 'deleted-files.yml' workflow using v6.0.2.
- Verify successful repository checkout and persistence of 'fetch-depth' behavior in the readability report workflow.
- Verify that the GitHub Runner version is at least 2.329.0 to support the new credential persistence mechanism in v6.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify successful repository checkout in the 'deleted-files.yml' workflow using v6.0.2.
2. Verify successful repository checkout and persistence of 'fetch-depth' behavior in the readability report workflow.
3. Verify that the GitHub Runner version is at least 2.329.0 to support the new credential persistence mechanism in v6.
Low confidence findings
- The PR lacks automated validation to verify that the workflows remain functional after the version update. Given the potential for breaking changes in credential handling, verification steps are necessary.
🗒️ Improve review quality by adding custom instructions
| steps: | ||
| - name: Checkout repo with history | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
🔴 HIGH RISK
The version v6.0.2 for actions/checkout does not exist. The latest major version is v4. Using a non-existent version will cause the workflow to fail. Try running the following prompt in your coding agent: > Update all actions/checkout references to the latest v4 release SHA and version tag.
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
🔴 HIGH RISK
The version v6.0.2 for actions/checkout does not exist. The latest major version is v4. Using a non-existent version will cause the workflow to fail. Try running the following prompt in your coding agent: > Update all actions/checkout references to the latest v4 release SHA and version tag.
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
🔴 HIGH RISK
The version v6.0.2 for actions/checkout does not exist. The latest major version is v4. Using a non-existent version will cause the workflow to fail. Try running the following prompt in your coding agent: > Update all actions/checkout references to the latest v4 release SHA and version tag.
Bumps actions/checkout from 4.3.1 to 6.0.2.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)