Skip to content

chore(ci): upgrade checkout to v5 #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

chore(ci): upgrade checkout to v5 #3

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
name: Foundry project
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v5
with:
submodules: recursive
Comment on lines +16 to 18
Copy link

@coderabbitai coderabbitai bot Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Optional hardening: pin the action to a fixed version (tag or SHA).

Using a floating major tag means the behavior can change on patch bumps. If your standards require determinism, pin to v5.0.0 or the corresponding commit SHA.

Use this to get the exact commit for v5.0.0:

Then update the step (example using a fixed tag):

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v5.0.0

Or pin to the full commit SHA if your policy mandates it:

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@<commit-sha>

🏁 Script executed:

#!/bin/bash
# Get the commit SHA behind tag v5.0.0
git ls-remote --tags https://github.com/actions/checkout v5.0.0^{} | awk '{print $1}'

Length of output: 89

🏁 Script executed:

#!/bin/bash
set -e
# Fetch all tags, filter for v5.x, sort, and pick the latest
latest_tag=$(git ls-remote --tags https://github.com/actions/checkout \
  | awk '{print $2}' \
  | sed 's#refs/tags/##' \
  | grep '^v5\.' \
  | sort -V \
  | tail -1)
echo "Latest v5 tag: $latest_tag"
# Resolve the commit SHA behind that tag
git ls-remote --tags https://github.com/actions/checkout "${latest_tag}^{}" | awk '{print $1}'

Length of output: 311

🏁 Script executed:

#!/bin/bash
set -e
# Retrieve the commit SHA for the lightweight tag v5.0.0
git ls-remote --tags https://github.com/actions/checkout v5.0.0 | awk '{print $1}' | head -1

Length of output: 144

Pin checkout action to a fixed version or commit SHA
Floating the major tag allows untracked patch changes. This should be pinned to v5.0.0 or the exact SHA for determinism.

• File: .github/workflows/test.yml (lines 16–18)
• Commit SHA for v5.0.0: 08c6903cd8c0fde910a37f88322edcfb5dd907a8

Use one of the following diffs:

Pin to tag v5.0.0:

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v5.0.0

Or pin to exact SHA:

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@v5
with:
submodules: recursive
- uses: actions/checkout@v5.0.0
with:
submodules: recursive
Suggested change
- uses: actions/checkout@v5
with:
submodules: recursive
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
with:
submodules: recursive
🤖 Prompt for AI Agents 
In .github/workflows/test.yml around lines 16 to 18, the checkout action is
using the floating major tag "actions/checkout@v5" which can pull unintended
patch changes; update the uses value to a pinned reference by replacing
"actions/checkout@v5" with either the fixed tag "actions/checkout@v5.0.0" or the
exact commit SHA "actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8" to
ensure deterministic CI behavior.


Expand Down