chore(github-deps): bump actions/checkout from 6.0.2 to 6.0.3#6044
chore(github-deps): bump actions/checkout from 6.0.2 to 6.0.3#6044dependabot[bot] wants to merge 3 commits into
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
requested review from
bbrowning,
franciscojavierarceo,
mattf and
raghotham
as code owners
dependabot
Bot
added
the
github_actions
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?s=60&v=4){kind=small}
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
There was a problem hiding this comment.
🚩 Composite action checkout pin not updated (out of scope)
The file .github/actions/setup-typescript-client/action.yml:18 uses actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0, which is a different (older) version than all the workflow files. This was not touched by the PR and is likely intentional — composite actions may pin different versions for compatibility reasons, and this particular action file wasn't in the diff. However, if the intent is to have all checkout actions at the same version, this one was missed.
Was this helpful? React with 👍 or 👎 to provide feedback.
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 |
There was a problem hiding this comment.
🟡 Misleading version comment # v4 in codeql.yml instead of # v6.0.3
In codeql.yml:22, the version comment says # v4 but should say # v6.0.3 to match the actual SHA being pinned (df4cb1c069e1874edd31b4311f1884172cec0e10). All other workflow files in this PR consistently use # v6.0.3 for the same SHA. This was a pre-existing incorrect comment (# v4 when it was actually v6.0.2), and the PR's mechanical update didn't fix it, making it further out of sync. A future auditor looking at pinned action versions would incorrectly believe codeql.yml is using a different (much older) major version of the checkout action.
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
Was this helpful? React with 👍 or 👎 to provide feedback.
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6.0.3
branch
3 times, most recently
from
d494ba4 to
a721df7
Compare
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6.0.3
branch
from
a721df7 to
b2df27d
Compare
1 participant
Bumps actions/checkout from 6.0.2 to 6.0.3.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
df4cb1cUpdate changelog for v6.0.3 (#2446)1cce339Fix checkout init for SHA-256 repositories (#2439)900f221fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)0c366fdUpdate changelog (#2357)