Bump actions/checkout from 4.3.1 to 6.0.3#35
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v4.3.1...v6.0.3) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Simplecov Report
|
diff-vader-bot
left a comment
There was a problem hiding this comment.
🟡 Risk: MEDIUM — substantive findings present
🚫 Diff Vader · Changes requested
Council reviewed 3 files · 11 reviewers · 1 finding · $0.46
- ✅
blast‑radius ⚠️ correctness(1) — Inconsistent pin: this PR claims to bump actions/checkout to v6.0.3, and style.yml/tests.yml correctly move to df4cb1c069e1874edd31b4311f1884172cec0e10 (v6.0.3). But here the SHA is set to 34e114876b…- ✅
github‑actions - ❓
iac— skipped: filter: not applicable to changed files - ❓
migration‑safety— skipped: filter: not applicable to changed files - ✅
performance - ✅
revertibility - ✅
security‑tenant‑isolation - ❓
supply‑chain— skipped: filter: not applicable to changed files - ✅
supportability - ✅
test‑adequacy
Why: The council raised substantive concerns. See the inline comments on the diff and the per-reviewer summary above.
💡 /diff-vader-review <name> adds a one-shot reviewer. Beyond this PR's council, you can request: backup-correctness, loop-design-system.
|
|
||
| steps: | ||
| - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # main | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # main |
There was a problem hiding this comment.
pr-reviewer-correctness — MINOR severity · confidence 88% (blocking)
Inconsistent pin: this PR claims to bump actions/checkout to v6.0.3, and style.yml/tests.yml correctly move to df4cb1c069e1874edd31b4311f1884172cec0e10 (v6.0.3). But here the SHA is set to 34e114876b0b11c390a56381ad16ebd13914f8d5 — which is the v4 commit being removed from the other two workflows (its # v4 comment) — labeled # main. So tag-and-release ends up on v4 while the rest run v6.0.3. If the v6 release behavior (e.g. credentials persisted under $RUNNER_TEMP, requiring runner v2.329.0+) is intended/needed, the release workflow won't get it; conversely if a v6 SHA was meant here it's wrong. Confirm whether this should be df4cb1c (v6.0.3) to match the others.
React with 👍 / 👎 / 😕 to help us calibrate — why.
Bumps actions/checkout from 4.3.1 to 6.0.3.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Commits
df4cb1cUpdate changelog for v6.0.3 (#2446)1cce339Fix checkout init for SHA-256 repositories (#2439)900f221fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)0c366fdUpdate changelog (#2357)de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)