update GitHub actions in CI workflow

[Daulox92]

Updates actions/checkout@v4 to actions/checkout@v5 across CI workflows.

Upgrade to actions/checkout@v5 for improved performance and stability.

Reference:
Latest version: https://github.com/actions/checkout/releases/tag/v5.0.0

Summary by CodeRabbit

• Chores
  • Upgraded GitHub Actions “checkout” to v5 across all workflows (build, test, lint, integration, Docker, coordinator, database, rollup, bridge history, version bump).
  • Improves CI reliability, security, and compatibility with latest runners.
  • No changes to application behavior or user-facing features; builds and releases proceed as before.

[coderabbitai]

Walkthrough

All modified GitHub Actions workflows update actions/checkout to v5. Most files change from v4 to v5; the ARM64 Docker workflow changes from v2 to v5. Some commented examples inside coordinator and rollup workflows were also updated. No other steps, logic, or control flow changed.

Changes

Cohort / File(s)	Change Summary
Checkout v4 → v5 .github/workflows/bridge_history_api.yml, .github/workflows/bump_version.yml, .github/workflows/common.yml, .github/workflows/coordinator.yml, .github/workflows/database.yml, .github/workflows/docker.yml, .github/workflows/integration.yml, .github/workflows/rollup.yml	Updated all “Checkout code” steps from actions/checkout@v4 to @v5; no other workflow steps altered. In coordinator.yml and rollup.yml, matching commented examples also updated to @v5.
Checkout v2 → v5 (ARM64) .github/workflows/docker-coordinator-api-arm64.yml	Updated “Checkout code” from actions/checkout@v2 to @v5; no other changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~6 minutes

Poem

I thump my paws on pipeline ground,
“v5,” I chirp, “now all around!”
From v2, v4, we hop in line,
The carrots build, the tests align.
In commented burrows, tweaks the same—
A tidy warren, swift and tame. 🥕🐇

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

♻️ Duplicate comments (8)

.github/workflows/docker.yml (8)

63-63: Same note as above: pin checkout to commit SHA (and optionally disable credential persistence).

Replicate the pinning/credential guidance from Line 17 here as well.

---

109-109: Same note: pin checkout to commit SHA (and optionally disable credential persistence).

Replicate the pinning/credential guidance from Line 17 here as well.

---

155-155: Same note: pin checkout to commit SHA (and optionally disable credential persistence).

Replicate the pinning/credential guidance from Line 17 here as well.

---

201-201: Same note: pin checkout to commit SHA (and optionally disable credential persistence).

Replicate the pinning/credential guidance from Line 17 here as well.

---

247-247: Same note: pin checkout to commit SHA (and optionally disable credential persistence).

Replicate the pinning/credential guidance from Line 17 here as well.

---

293-293: Same note: pin checkout to commit SHA (and optionally disable credential persistence).

Replicate the pinning/credential guidance from Line 17 here as well.

---

339-339: Same note: pin checkout to commit SHA (and optionally disable credential persistence).

Replicate the pinning/credential guidance from Line 17 here as well.

---

384-384: Same note: pin checkout to commit SHA (and optionally disable credential persistence).

Replicate the pinning/credential guidance from Line 17 here as well.

🧹 Nitpick comments (8)

.github/workflows/common.yml (2)

59-60: Same as above: pin to SHA and optionally disable credential persistence.

No downstream git network ops here; safe to set persist-credentials: false.

-uses: actions/checkout@v5
+uses: actions/checkout@<COMMIT-SHA> # v5.0.0
+with:
+  persist-credentials: false

---

84-85: Same as above: pin to SHA and optionally disable credential persistence.

No git network ops after checkout in this job either.

-uses: actions/checkout@v5
+uses: actions/checkout@<COMMIT-SHA> # v5.0.0
+with:
+  persist-credentials: false

.github/workflows/database.yml (2)

52-53: Same as above: pin to SHA and optionally disable credential persistence.

No remote git operations here.

-uses: actions/checkout@v5
+uses: actions/checkout@<COMMIT-SHA> # v5.0.0
+with:
+  persist-credentials: false

---

77-78: Same as above: pin to SHA and optionally disable credential persistence.

Tests don’t perform network git ops; safe to disable credentials.

-uses: actions/checkout@v5
+uses: actions/checkout@<COMMIT-SHA> # v5.0.0
+with:
+  persist-credentials: false

.github/workflows/rollup.yml (2)

39-39: Optional hardening: disable credentials and pin checkout

These jobs don’t push to the repo; disable token persistence and consider pinning to a fixed version.

Example for one step (apply similarly to the others):

-      uses: actions/checkout@v5
+      uses: actions/[email protected]
+      with:
+        persist-credentials: false

Also applies to: 63-63, 88-88

---

120-120: Thanks for updating the commented example too

Keeping examples in sync prevents drift and copy-paste errors later.

.github/workflows/coordinator.yml (1)

44-44: Optional security tightening: turn off credential persistence and pin

These steps don’t require authenticated git operations. Recommend:

-      uses: actions/checkout@v5
+      uses: actions/[email protected]
+      with:
+        persist-credentials: false

Also applies to: 59-59, 100-100

.github/workflows/bridge_history_api.yml (1)

37-37: Optional: pin and disable credentials for safer defaults

Since these jobs only read the repo and run linters/tests, prefer not persisting the token and pin to a fixed version.

For each step:

-      uses: actions/checkout@v5
+      uses: actions/[email protected]
+      with:
+        persist-credentials: false

Also applies to: 51-51, 70-70

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1f2b397 and 45ecd14.

📒 Files selected for processing (9)

• .github/workflows/bridge_history_api.yml (3 hunks)
• .github/workflows/bump_version.yml (1 hunks)
• .github/workflows/common.yml (3 hunks)
• .github/workflows/coordinator.yml (4 hunks)
• .github/workflows/database.yml (3 hunks)
• .github/workflows/docker-coordinator-api-arm64.yml (1 hunks)
• .github/workflows/docker.yml (9 hunks)
• .github/workflows/integration.yml (1 hunks)
• .github/workflows/rollup.yml (4 hunks)

🔇 Additional comments (6)

.github/workflows/docker-coordinator-api-arm64.yml (1)

21-21: Pin actions/checkout v5 to an immutable SHA
Locking to a specific v5 commit prevents unexpected behavior when the action is updated.

File: .github/workflows/docker-coordinator-api-arm64.yml
Lines: 21

Suggested change:

- uses: actions/checkout@v5
+ uses: actions/checkout@<COMMIT-SHA>  # v5.0.0
  with:
    persist-credentials: false

• No extra git credentials are required after checkout.
• If this job runs on self-hosted runners, verify your runner’s Node version is ≥20 to ensure compatibility with the action’s JS code.

.github/workflows/integration.yml (1)

27-27: Upgrade to actions/checkout@v5 looks good

The bump is scoped and safe in this job. No control-flow or environment changes.

.github/workflows/rollup.yml (1)

39-39: Checkout v5 upgrade is correct across all jobs

All three active “Checkout code” steps now use v5; nothing else changed. Good scope control.

Also applies to: 63-63, 88-88

.github/workflows/coordinator.yml (2)

44-44: Upgrade to actions/checkout@v5 across coordinator workflow looks good

All active checkout steps moved to v5 with no other behavioral changes.

Also applies to: 59-59, 100-100

---

80-80: Good catch updating the commented docker example too

Staying consistent in commented blocks avoids stale guidance.

.github/workflows/bridge_history_api.yml (1)

37-37: Bridge History API: checkout v5 bump LGTM

All three “Checkout code” steps correctly target v5; no unrelated changes.

Also applies to: 51-51, 70-70

[coderabbitai]

💡 Verification agent

❓ Verification inconclusive

Upgrade to actions/checkout@v5 is fine; consider pinning to a commit SHA.

This job performs git fetch and auto-commit/push, so keep persist-credentials: true (default). Only add pinning.

Apply this pattern after you retrieve the v5.0.0 commit SHA:

-uses: actions/checkout@v5
+uses: actions/checkout@<COMMIT-SHA> # v5.0.0
  with:
    ref: ${{ github.head_ref }}

Also ensure your runners (especially self-hosted, if any) are updated to a version that supports Node 20-based actions, which checkout v5 requires.

---

Pin checkout action to an immutable commit SHA

To guard against unexpected changes downstream, it’s best to pin actions/checkout v5 to its specific commit SHA while retaining the default persist-credentials: true for your auto-commit/push step:

• File: .github/workflows/bump_version.yml (around lines 19–22)
• Replace:

- uses: actions/checkout@v5
+ uses: actions/checkout@<COMMIT-SHA>  # v5.0.0
  with:
    ref: ${{ github.head_ref }}

• No changes needed for persist-credentials (defaults to true).

Additionally, verify that all runners (especially any self-hosted ones) are on Node 20 or later, as checkout v5 requires Node.js 20+ support.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In .github/workflows/bump_version.yml around lines 19 to 22, pin the
actions/checkout@v5 usage to the specific immutable commit SHA instead of the
tag to avoid downstream surprises; update the workflow to reference the exact
commit SHA for actions/checkout while leaving persist-credentials at its default
true for auto-commit/push steps, and verify that all runners (including
self-hosted) run Node.js 20+ since checkout v5 requires Node 20 or newer.

[coderabbitai]

🛠️ Refactor suggestion

Upgrade to actions/checkout@v5 looks good; consider pinning to a commit SHA.

This job doesn’t fetch/push; you can safely disable credential persistence if desired.

-uses: actions/checkout@v5
+uses: actions/checkout@<COMMIT-SHA> # v5.0.0
+with:
+  persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/checkout@v5
	- name: Cache cargo
	- uses: actions/checkout@<COMMIT-SHA> # v5.0.0
	with:
	persist-credentials: false
	- name: Cache cargo

🤖 Prompt for AI Agents

.github/workflows/common.yml around lines 40 to 41: the workflow updates
actions/checkout to v5 but should pin to a specific commit SHA to avoid
unexpected breaking changes; update the uses entry to reference the full commit
SHA for actions/checkout@v5, and since this job does not perform fetch/push
operations, set persist-credentials: false in the checkout step to disable
credential persistence.

[coderabbitai]

🛠️ Refactor suggestion

Upgrade to actions/checkout@v5 looks good; consider pinning to a commit SHA.

This job runs only local linting; disabling credential persistence is safe.

-uses: actions/checkout@v5
+uses: actions/checkout@<COMMIT-SHA> # v5.0.0
+with:
+  persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/checkout@v5
	- name: Lint
	uses: actions/checkout@<COMMIT-SHA> # v5.0.0
	with:
	persist-credentials: false
	- name: Lint

🤖 Prompt for AI Agents

.github/workflows/database.yml lines 37-38: replace the floating tag "uses:
actions/checkout@v5" with a pinned commit reference and disable credential
persistence for this local lint job; specifically, change the checkout action to
use the full commit SHA for the v5 release (e.g., actions/checkout@<commit-sha>)
and add persist-credentials: false under the checkout step so the job is pinned
and does not retain credentials.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Upgrade to actions/checkout@v5 looks good; consider pinning to a commit SHA and (optionally) disabling credential persistence.

• Pin to a specific SHA for supply-chain hardening (with a trailing comment noting the version).
• If no git fetch/push occurs later in this job, set persist-credentials: false to avoid leaking the token into git config.

To locate any remaining non-v5 usages and retrieve the recommended pin for v5.0.0, run:

Apply this pattern after obtaining the SHA:

-uses: actions/checkout@v5
+uses: actions/checkout@<COMMIT-SHA> # v5.0.0
+# with:
+#   persist-credentials: false

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Scanning for non-v5 checkout usages..."
rg -n -H $'uses:\\s*actions/checkout@v(1|2|3|4)\\b' || echo "No non-v5 usages found."

echo "Getting commit SHA for actions/checkout v5.0.0..."
gh api repos/actions/checkout/git/refs/tags/v5.0.0 --jq '.object.sha'

Length of output: 434

---

Pin actions/checkout@v5 to a specific SHA and disable credential persistence

To further harden our supply chain:

• In .github/workflows/docker.yml (line 17), replace the loose @v5 tag with the concrete commit SHA for v5.0.0.
• Disable credential persistence unless later steps need to fetch or push.

Suggested patch:

- uses: actions/checkout@v5
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+ with:
+   persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/checkout@v5
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	persist-credentials: false

🤖 Prompt for AI Agents

.github/workflows/docker.yml around line 17: replace the loose
actions/checkout@v5 reference with the concrete commit SHA corresponding to
v5.0.0 (i.e. actions/checkout@<SHA-of-v5.0.0>) and add persist-credentials:
false to the step to disable credential persistence unless later steps
explicitly need them; ensure the step still uses the v5.0.0 SHA and keep other
step settings unchanged.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Harden checkout usage: pin version and disable credential persistence

To reduce supply-chain risk and avoid persisting tokens in the repo’s .git config during PRs, consider pinning to a fixed version and turning off credential persistence (since no git push happens in this job).

Apply this pattern here (and replicate across workflows):

-      uses: actions/checkout@v5
+      uses: actions/[email protected]
+      with:
+        persist-credentials: false

Run this to confirm all checkouts are migrated and find any remaining v2/v3/v4 (and optionally quantify how many are pinned vs floating majors):

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "All checkout versions found:"
rg -n --no-heading $'uses:\\s*actions/checkout@' -g '.github/workflows/*.yml' || true

echo -e "\nNon-v5 checkout occurrences (should be zero):"
rg -n --no-heading $'uses:\\s*actions/checkout@(v(2|3|4)\\b|main|master)' -g '.github/workflows/*.yml' || true

echo -e "\nUnpinned v5 (floating majors):"
rg -n --no-heading $'uses:\\s*actions/checkout@v5\\b' -g '.github/workflows/*.yml' || true

echo -e "\nPinned to specific v5.x or commit SHA:"
rg -n --no-heading -e $'uses:\\s*actions/checkout@v5\\.[0-9]+' -e $'uses:\\s*actions/checkout@[0-9a-fA-F]{40}' -g '.github/workflows/*.yml' || true

Length of output: 1386

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Workflow files in .github/workflows:"
find .github/workflows -maxdepth 1 -type f -print || true

echo -e "\nOccurrences of actions/checkout in all workflow files:"
rg -Hn 'uses:\s*actions/checkout@' -g '.github/workflows/*' || true

Length of output: 852

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Scanning for actions/checkout usage in workflow YAMLs:"
find .github/workflows -type f -name '*.yml' -print0 \
  | xargs -0 grep -Hn 'uses:\s*actions/checkout@'

Length of output: 2306

---

Pin checkout action to a fixed v5 minor and disable credential persistence across all workflows

We found one actions/checkout@v4 and 22 floating-major actions/checkout@v5 usages—none are currently pinned to a specific v5.x and none disable credential persistence. Please update all of them to a fixed version (e.g. v5.0.0 or your chosen v5.x.y) and add persist-credentials: false. For example:

-      uses: actions/checkout@v5
+      uses: actions/[email protected]
+      with:
+        persist-credentials: false

Affected locations:

• .github/workflows/intermediate-docker.yml:77 (v4 → v5.0.0)
• .github/workflows/bridge_history_api.yml:37, 51, 70
• .github/workflows/bump_version.yml:19
• .github/workflows/common.yml:40, 59, 84
• .github/workflows/coordinator.yml:44, 59, 100
• .github/workflows/database.yml:37, 52, 77
• .github/workflows/docker-coordinator-api-arm64.yml:21
• .github/workflows/docker.yml:17, 63, 109, 155, 201, 247, 293, 339, 384
• .github/workflows/integration.yml:27
• .github/workflows/rollup.yml:39, 63, 88

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/checkout@v5
	uses: actions/checkout@v5.0.0
	with:
	persist-credentials: false

🤖 Prompt for AI Agents

In .github/workflows/integration.yml around line 27, the checkout step uses a
floating major tag; update the step to pin to a fixed v5.x.y (e.g.
actions/[email protected]) and add a with block setting persist-credentials:
false; ensure the new lines are properly indented under the step so the action
uses the pinned version and disables credential persistence.