CI: actions/checkout v4 to v5

[luojiyin1987]

Summary by CodeRabbit

• Chores
  • Updated continuous integration workflows to use the latest checkout action across build-and-deploy pipelines, improving reliability and security of automated builds and deployments.
  • No changes to application features, UI, or performance; end-user experience remains unchanged.
  • No configuration or action required from users; release cadence and deployment behavior remain the same.

[coderabbitai]

Walkthrough

Bumps the GitHub Actions checkout action from actions/checkout@v4 to actions/checkout@v5 in two CI workflow files. No other workflow logic or conditions were changed.

Changes

Cohort / File(s)	Summary of Changes
CI workflows: checkout action version bump \.github/workflows/main.yml, \.github/workflows/pull-request.yml	Updated checkout step from actions/checkout@v4 to actions/checkout@v5; no other step or condition changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

I nudge my paw on version’s line,
From v4 to v5—commit so fine.
Pipelines hop with lighter cheer,
Same old steps, but fresher gear.
Carrots cached, I press deploy—
CI/CD, a bunny’s joy. 🥕🚀

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The PR title "CI: actions/checkout v4 to v5" accurately and concisely describes the primary change—upgrading actions/checkout from v4 to v5 in the CI workflows—using clear, focused wording that will be meaningful to reviewers scanning project history.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch CI/update-actions-checkout

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dosubot]

Related Documentation

Checked 10 published document(s). No updates required.

^{How did I do? Any feedback?}  

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6ced890 and f87891f.

📒 Files selected for processing (2)

• .github/workflows/main.yml (1 hunks)
• .github/workflows/pull-request.yml (1 hunks)

🔇 Additional comments (2)

.github/workflows/main.yml (1)

16-16: Bump to actions/checkout@v5 looks good.

V5 is released and supported; it moves the action to the Node.js 24 runtime and requires Actions Runner ≥ v2.327.1. You’re on ubuntu-latest (GitHub‑hosted), so this should be fine; confirm no self‑hosted runners consume this workflow. (github.com)

.github/workflows/pull-request.yml (1)

16-16: Upgrade to actions/checkout@v5 is correct.

No workflow logic changes; just ensure runner compatibility (Node 24 runtime; Actions Runner ≥ v2.327.1) if any self‑hosted runners execute this job. (github.com)

[coderabbitai]

⚠️ Potential issue

Pin checkout to a commit SHA for supply‑chain hardening.

Pinning avoids tag move risk and is GitHub’s recommended practice. Proposed change: (docs.github.com)

-            - uses: actions/checkout@v5
+            - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v5
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

🤖 Prompt for AI Agents

.github/workflows/main.yml around line 16: the checkout action is referenced by
tag (actions/checkout@v5) which can be moved; pin it to a specific commit SHA
instead. Replace the tag reference with the corresponding commit SHA for the
desired release (find the commit SHA from the actions/checkout GitHub repo
releases/tags) and update the workflow to use uses:
actions/checkout@<commit-sha>; commit the change and verify the workflow runs
successfully.

[coderabbitai]

⚠️ Potential issue

Also pin to the exact commit for checkout.

Apply the same SHA pinning here: (docs.github.com)

-            - uses: actions/checkout@v5
+            - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v5
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

🤖 Prompt for AI Agents

.github/workflows/pull-request.yml around line 16: the workflow currently
references actions/checkout@v5 which is a floating tag; update it to pin the
action to the exact commit SHA of the v5 release (replace the tag with uses:
actions/checkout@<COMMIT_SHA>) so the workflow uses a fixed immutable
revision—fetch the official v5 release commit SHA from the actions/checkout
repository and update the workflow file accordingly, committing the change.