Skip to content

chore(deps): update actions/checkout action to v5 #630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 22, 2025
Merged

chore(deps): update actions/checkout action to v5 #630

merged 1 commit into from
Sep 22, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 22, 2025

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package Type Update Change
actions/checkout action major v4 -> v5

Release Notes

actions/checkout (actions/checkout)

v5

Compare Source

Configuration

📅 Schedule: Branch creation - "on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from danielroe as a code owner September 22, 2025 06:49
@vercel Vercel
Copy link

vercel bot commented Sep 22, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
magic-regexp-docs Ready Ready Preview Comment Sep 22, 2025 6:50am

@github-actions GitHub Actions
Copy link

Diagnostics Comparison:

Click to expand
Metric Previous New Status
Files 371 371 ± (0.00%)
Lines 166888 166888 ± (0.00%)
Identifiers 155637 155637 ± (0.00%)
Symbols 259596 259596 ± (0.00%)
Types 53581 53581 ± (0.00%)
Instantiations 396483 396483 ± (0.00%)
Memory used 372409K 341137K ▼ (-9.17%)
I/O read 0.03s 0.03s ± (0.00%)
I/O write 0s 0s ± (0.00%)
Parse time 0.81s 0.83s ± (+2.41%)
Bind time 0.34s 0.36s ± (+5.56%)
Check time 2.02s 2.01s ± (-0.50%)
Emit time 0.1s 0.1s ± (0.00%)
Total time 3.27s 3.3s ± (+0.91%)

@codspeed-hq CodSpeed HQ
Copy link

codspeed-hq bot commented Sep 22, 2025

CodSpeed Performance Report

Merging #630 will not alter performance

Comparing renovate/actions-checkout-5.x (41d079a) with main (159e796)

Summary

✅ 6 untouched

vercel[bot]
vercel bot reviewed Sep 22, 2025
View reviewed changes
.github/workflows/provenance.yml
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

The checkout action uses a tag reference @v5 instead of the commit hash format used by other workflows in this repository, creating an inconsistent security approach.

View Details

Analysis

Inconsistent GitHub Actions pinning in provenance.yml breaks security pattern

What fails: provenance.yml uses tag reference actions/checkout@v5 instead of commit hash pinning used by 4 other workflows, creating inconsistent security approach in the repository

How to reproduce:

grep "checkout@" .github/workflows/*.yml
# Shows 4 files using: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5  
# Shows 2 files using: actions/checkout@v5

Result: Inconsistent pinning approach - 4 workflows use secure commit hash pinning, 2 use mutable tag references

Expected: All workflows should use the same commit hash format for consistency and security, per StepSecurity best practices which recommends commit hash pinning for immutability against supply chain attacks

@danielroe danielroe merged commit 3c68b6e into main Sep 22, 2025
14 checks passed
@danielroe danielroe deleted the renovate/actions-checkout-5.x branch September 22, 2025 08:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vercel vercel[bot] vercel[bot] left review comments

@danielroe danielroe danielroe approved these changes

Assignees
No one assigned
Labels
chore dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@danielroe