From 3c159dacc3b0103d260b64221304b1311af08f45 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 23 Nov 2025 13:13:17 +0000 Subject: [PATCH 1/2] Bump actions/checkout from 5 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build.yml | 6 +++--- .github/workflows/codeql.yml | 2 +- .github/workflows/deps-review.yml | 2 +- .github/workflows/qodana.yml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 02a7941723..887ba52827 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,7 +57,7 @@ jobs: psql --version Write-Host "Active .NET SDK: $(dotnet --version)" - name: Git checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Restore tools run: dotnet tool restore - name: Restore packages @@ -165,7 +165,7 @@ jobs: 9.0.* 10.0.* - name: Git checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Restore tools run: dotnet tool restore - name: InspectCode @@ -226,7 +226,7 @@ jobs: 9.0.* 10.0.* - name: Git checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: fetch-depth: 2 - name: Restore tools diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 35c8171615..d602e86b63 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -30,7 +30,7 @@ jobs: 9.0.* 10.0.* - name: Git checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: diff --git a/.github/workflows/deps-review.yml b/.github/workflows/deps-review.yml index 8461b453cf..ae5ae59895 100644 --- a/.github/workflows/deps-review.yml +++ b/.github/workflows/deps-review.yml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: 'Dependency Review' uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/qodana.yml b/.github/workflows/qodana.yml index 83405f8027..29d4771f4e 100644 --- a/.github/workflows/qodana.yml +++ b/.github/workflows/qodana.yml @@ -29,7 +29,7 @@ jobs: 9.0.* 10.0.* - name: Git checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: ref: ${{ github.event.pull_request.head.sha }} # to check out the actual pull request commit, not the merge commit fetch-depth: 0 # a full history is required for pull request analysis From 9798787267e6d48f4de8fd76b480ebe02b23e189 Mon Sep 17 00:00:00 2001 From: Bart Koelman <10324372+bkoelman@users.noreply.github.com> Date: Sun, 23 Nov 2025 14:53:59 +0100 Subject: [PATCH 2/2] Do not persist GHA credentials on checkout --- .github/workflows/build.yml | 5 +++++ .github/workflows/codeql.yml | 2 ++ .github/workflows/deps-review.yml | 10 ++++++---- .github/workflows/qodana.yml | 1 + 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 887ba52827..ebe5a26539 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -58,6 +58,8 @@ jobs: Write-Host "Active .NET SDK: $(dotnet --version)" - name: Git checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Restore tools run: dotnet tool restore - name: Restore packages @@ -166,6 +168,8 @@ jobs: 10.0.* - name: Git checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Restore tools run: dotnet tool restore - name: InspectCode @@ -228,6 +232,7 @@ jobs: - name: Git checkout uses: actions/checkout@v6 with: + persist-credentials: false fetch-depth: 2 - name: Restore tools run: dotnet tool restore diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d602e86b63..358feea6f7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -31,6 +31,8 @@ jobs: 10.0.* - name: Git checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: diff --git a/.github/workflows/deps-review.yml b/.github/workflows/deps-review.yml index ae5ae59895..97375e7e6f 100644 --- a/.github/workflows/deps-review.yml +++ b/.github/workflows/deps-review.yml @@ -8,7 +8,9 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: - - name: 'Checkout Repository' - uses: actions/checkout@v6 - - name: 'Dependency Review' - uses: actions/dependency-review-action@v4 + - name: 'Checkout Repository' + uses: actions/checkout@v6 + with: + persist-credentials: false + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/qodana.yml b/.github/workflows/qodana.yml index 29d4771f4e..8b4aabe286 100644 --- a/.github/workflows/qodana.yml +++ b/.github/workflows/qodana.yml @@ -31,6 +31,7 @@ jobs: - name: Git checkout uses: actions/checkout@v6 with: + persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} # to check out the actual pull request commit, not the merge commit fetch-depth: 0 # a full history is required for pull request analysis - name: Restore tools