Skip to content

chore(deps): bump actions/checkout from 4 to 6#42

Merged
jrphilo merged 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-6
May 13, 2026
Merged

chore(deps): bump actions/checkout from 4 to 6#42
jrphilo merged 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 1, 2026
edited
Loading

Bumps actions/checkout from 4 to 6.

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 1, 2026
@dependabot dependabot Bot requested a review from jrphilo as a code owner May 1, 2026 15:22
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 1, 2026
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 1, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 docs-preview 532ff06 Commit Preview URL

Branch Preview URL		 May 13 2026, 01:58 PM

@jrphilo
Copy link
Copy Markdown
Collaborator

jrphilo commented May 13, 2026

Ralphie verified this — ready to merge.

Verification

  • lint: ✓ (pre-existing no-img-element warning on src/components/Logo.tsx, not introduced by this bump)
  • build: ✓ (Next.js type-check + bundle)
  • check:links: ✓ (39 files, 3 internal links, 0 broken)

Changelog highlights

  • v5.0.0: action runtime updated to Node.js 24 (requires Actions runner v2.327.1+)
  • v6.0.0: persist credentials to a separate file under $RUNNER_TEMP instead of in-repo git config (requires runner v2.329.0+)
  • v6.0.1 / v6.0.2: worktree support for persist-credentials includeIf; preserve tag annotations + explicit fetch-tags
  • Release notes: https://github.com/actions/checkout/releases

Investigation

Elevated scrutiny applied: multi-major bump (v4 → v6, crossing two majors).

  • Ownership: same maintainer (actions/checkout under the actions org; releases by @ericsciple/@salmanmkc)
  • Auth/secrets: v6 changes credential persistence location (separate file in $RUNNER_TEMP vs in-repo git config) — investigated → no impact. Our .github/workflows/ci.yml uses actions/checkout bare with no inputs in all three jobs (lint/build/links); we don't read persist-credentials, don't run Docker container actions that need the persisted token, and don't post-process the git config. Plain checkout → setup → install → run flow is unaffected.
  • Security advisory: none referenced in v5.x or v6.x release notes
  • Deprecations: none we'd hit
  • Breaking API: runner-version floor raised to v2.329.0 (v6) — investigated → no impact. We run on GitHub-hosted ubuntu-latest, which is always current; v2.329.0 shipped in mid-2025.

Recommendation

Safe to merge for our usage. Diff is three identical @v4@v6 pin changes across three jobs that all use actions/checkout with no inputs. The v6 credential-handling change is invisible without Docker container action consumers, and the runner-version floor is satisfied by GitHub-hosted runners.

@jrphilo jrphilo added the ralphie:ready-to-merge Ralphie verified; maintainer to merge label May 13, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/checkout-6 branch from 0e0a6eb to 8c810a6 Compare May 13, 2026 13:46
@dependabot
chore(deps): bump actions/checkout from 4 to 6
532ff06 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/checkout-6 branch from 8c810a6 to 532ff06 Compare May 13, 2026 13:56
@jrphilo jrphilo merged commit 348b842 into main May 13, 2026
5 checks passed
@jrphilo jrphilo deleted the dependabot/github_actions/actions/checkout-6 branch May 13, 2026 14:23
@jrphilo jrphilo mentioned this pull request May 13, 2026
Merged
7 tasks
jrphilo added a commit that referenced this pull request May 13, 2026
@jrphilo @claude
chore(deps): batch security overrides for protobufjs + fast-xml-builder
ce354ba 
Combines #52 and #53 into a single PR off main, avoiding the
rebase cascade after #44/#42/#54/#55 churn. Both are mechanical
pnpm.overrides additions:

- protobufjs ^7.5.6 — clears alerts #7-14
  (GHSA-q6x5-8v7m-xcrf, GHSA-jvwf-75h9-cwgg, GHSA-75px-5xx7-5xc7,
   GHSA-fx83-v9x8-x52w, GHSA-2pr8-phx7-x9h3, GHSA-66ff-xgx4-vchm,
   GHSA-685m-2w69-288q). Reached via posthog-js OTLP exporter;
   not directly imported by our app.

- fast-xml-builder ^1.1.7 — clears alerts #3, #4
  (GHSA-5wm8-gmm8-39j9, GHSA-45c6-75p6-83cc). Reached via
   @opennextjs/cloudflare → AWS SDK build/deploy tooling; not
   directly used.

Replaces #52, #53.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jrphilo added a commit that referenced this pull request May 13, 2026
@jrphilo @claude
chore(deps): batch security overrides for protobufjs + fast-xml-build…
1d77906 
…er (#57)

Combines #52 and #53 into a single PR off main, avoiding the
rebase cascade after #44/#42/#54/#55 churn. Both are mechanical
pnpm.overrides additions:

- protobufjs ^7.5.6 — clears alerts #7-14
  (GHSA-q6x5-8v7m-xcrf, GHSA-jvwf-75h9-cwgg, GHSA-75px-5xx7-5xc7,
   GHSA-fx83-v9x8-x52w, GHSA-2pr8-phx7-x9h3, GHSA-66ff-xgx4-vchm,
   GHSA-685m-2w69-288q). Reached via posthog-js OTLP exporter;
   not directly imported by our app.

- fast-xml-builder ^1.1.7 — clears alerts #3, #4
  (GHSA-5wm8-gmm8-39j9, GHSA-45c6-75p6-83cc). Reached via
   @opennextjs/cloudflare → AWS SDK build/deploy tooling; not
   directly used.

Replaces #52, #53.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jrphilo jrphilo Awaiting requested review from jrphilo jrphilo is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code ralphie:ready-to-merge Ralphie verified; maintainer to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jrphilo