Bump actions/checkout from 4 to 6 in the github-actions group#5
Bump actions/checkout from 4 to 6 in the github-actions group#5dependabot[bot] wants to merge 1 commit into
Conversation
Bumps the github-actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 4 to 6 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
📝 WalkthroughWalkthroughThe Rust CI workflow is updated to use GitHub Actions checkout v6 instead of v4, replacing the action reference in the "Checkout sources" step. ChangesCI Workflow Update
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/rust.yml:
- Around line 36-37: Update the "📥 Checkout sources" step that currently uses
actions/checkout@v6 to hard-pin to the v6.0.2 commit SHA and disable credential
persistence; specifically replace the mutable reference actions/checkout@v6 with
the exact v6.0.2 commit SHA and add persist-credentials: false to that checkout
step so the workflow no longer retains authenticated git credentials for later
steps.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 0822a029-ec60-4020-9ac8-f6584460f695
📒 Files selected for processing (1)
.github/workflows/rust.yml
| - name: 📥 Checkout sources | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the official commit SHA for the latest stable actions/checkoutv6 release, and does its README documentpersist-credentials default behavior and security implications?
💡 Result:
The latest stable release of actions/checkout as of June 1, 2026, is v6.0.2 [1]. The commit SHA for v6.0.2 is 11bd70f011116c478a87693246313203f56b7c5e. Regarding persist-credentials: - The README explicitly documents the persist-credentials input [2][3]. - Its default behavior is true, meaning the action configures the authentication token (or SSH key) with the local git config to enable authenticated git commands [2][3]. - In v6, the action has been updated to improve security: instead of storing credentials directly in .git/config, they are now stored in a separate file under $RUNNER_TEMP [2][4][3]. - While the README highlights this as "improved credential security" [2][3], it acknowledges that the token remains available to subsequent steps in the job [2]. Users who wish to disable this behavior can explicitly set persist-credentials: false [2][3].
Citations:
- 1: https://github.com/actions/checkout
- 2: https://github.com/actions/checkout/?tab=readme-ov-file
- 3: https://github.com/marketplace/actions/checkout
- 4: actions/checkout@08c6903...1af3b93
Pin actions/checkout and disable persisted credentials
Line 37 uses mutable actions/checkout@v6, which weakens supply-chain guarantees; hard-pin to the v6.0.2 commit SHA. Also disable credential persistence since this workflow doesn’t need authenticated git credentials for later steps.
🔐 Proposed hardening patch
- name: 📥 Checkout sources
- uses: actions/checkout@v6
+ uses: actions/checkout@11bd70f011116c478a87693246313203f56b7c5e
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: 📥 Checkout sources | |
| uses: actions/checkout@v4 | |
| uses: actions/checkout@v6 | |
| - name: 📥 Checkout sources | |
| uses: actions/checkout@11bd70f011116c478a87693246313203f56b7c5e | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 36-37: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 37-37: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/rust.yml around lines 36 - 37, Update the "📥 Checkout
sources" step that currently uses actions/checkout@v6 to hard-pin to the v6.0.2
commit SHA and disable credential persistence; specifically replace the mutable
reference actions/checkout@v6 with the exact v6.0.2 commit SHA and add
persist-credentials: false to that checkout step so the workflow no longer
retains authenticated git credentials for later steps.
Bumps the github-actions group with 1 update: actions/checkout.
Updates
actions/checkoutfrom 4 to 6Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsSummary by CodeRabbit