Skip to content

chore(deps): bump actions/checkout from 4 to 6 #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump actions/checkout from 4 to 6 #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/cargo-deny.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
name: cargo-deny (licenses + advisories + bans)
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and read its contents
cat -n .github/workflows/cargo-deny.yml

Repository: Sentriscloud/sdk-rs

Length of output: 940

Add persist-credentials: false to the checkout step.

Line 22 omits persist-credentials: false, leaving the GitHub token available to downstream steps unnecessarily. This is a security risk, especially when using third-party actions.

Suggested patch 
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+       with:
+         persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 22-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cargo-deny.yml at line 22, The checkout action step (the
line containing "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd") should explicitly
disable credential persistence to avoid leaking the GITHUB_TOKEN; update that
checkout step to include the key "persist-credentials: false" as an input under
the same step so downstream steps and third‑party actions do not receive the
token.

- uses: EmbarkStudios/cargo-deny-action@6c8f9facfa5047ec02d8485b6bf52b587b7777d1 # v2
with:
command: check
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/commitlint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
name: commitlint
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
Comment on lines +16 to 18
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and read the relevant lines
if [ -f ".github/workflows/commitlint.yml" ]; then
  echo "=== File content with line numbers ===" 
  cat -n .github/workflows/commitlint.yml | head -30
else
  echo "File not found"
fi

Repository: Sentriscloud/sdk-rs

Length of output: 715

🏁 Script executed:

# Also check for any other checkout actions in workflow files to understand patterns
rg "persist-credentials" .github/workflows/ || echo "No persist-credentials found in workflows"

Repository: Sentriscloud/sdk-rs

Length of output: 105

Add persist-credentials: false to checkout config.

Lines 16–18 currently persist credentials by default; commitlint only performs static analysis of commit messages and does not require authenticated git operations.

Suggested patch 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           fetch-depth: 0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
fetch-depth: 0
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 16-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/commitlint.yml around lines 16 - 18, The checkout step is
currently leaving credentials in the workspace; update the checkout action
configuration (the block with "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" and the existing
"with: fetch-depth: 0") to add "persist-credentials: false" under the "with"
mapping so the action does not persist git credentials during the commitlint
job.


Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
name: Dependency review
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/dependency-review.yml

Repository: Sentriscloud/sdk-rs

Length of output: 1383

Turn off persisted credentials for checkout.

Line 22 should set persist-credentials: false to reduce token exposure in workflow steps/artifacts.

Suggested patch 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 22-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependency-review.yml at line 22, Update the checkout step
that uses actions/checkout (the line with "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd") to explicitly set
persist-credentials: false so the GITHUB_TOKEN is not persisted to subsequent
steps or artifacts; locate the checkout step in the workflow and add the
persist-credentials: false key under that step's configuration.


- uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/link-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Comment on lines 27 to +28
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/link-check.yml

Repository: Sentriscloud/sdk-rs

Length of output: 1406

Harden checkout by disabling persisted credentials.

Lines 27–28 should set persist-credentials: false; the lychee link-scanning job does not use Git credentials after checkout.

Suggested patch 
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 27-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/link-check.yml around lines 27 - 28, The Checkout step in
the GitHub Actions workflow currently uses actions/checkout without disabling
persisted credentials; update the Checkout job step (the step named "Checkout"
that uses actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) to add
persist-credentials: false so credentials are not left in the runner after
checkout.


- name: Run lychee
uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/rust.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v6
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Check if file exists and read the relevant section
if [ -f ".github/workflows/rust.yml" ]; then
  echo "=== File exists ==="
  wc -l ".github/workflows/rust.yml"
  echo ""
  echo "=== Lines around line 17 ==="
  sed -n '10,25p' ".github/workflows/rust.yml"
else
  echo "File not found"
fi

Repository: Sentriscloud/sdk-rs

Length of output: 472

🌐 Web query:

GitHub Actions checkout action pinning commit SHA security best practice

💡 Result:

Best practice (secure pinning): Pin third-party GitHub Actions (including actions/checkout) to the full-length immutable commit SHA in the form uses: owner/repo@, instead of using a mutable tag like @v4 or @main. GitHub’s docs state that pinning to a full-length commit SHA is the only way to use an action as an immutable release, mitigating risk from a bad actor adding backdoors to the action repository; when selecting a SHA, verify it’s from the action’s repository (not a fork). Tag pinning is more convenient but still carries risk because tags can be moved or deleted if an attacker gains access to the action’s repository. [1] Why this matters: GitHub also added an organization/repository policy mechanism to require SHA pinning; workflows that attempt to use actions that aren’t pinned to a full commit SHA will fail. This is meant to proactively limit the impact of compromised third-party dependencies. [2] Implementation example for actions/checkout: - Prefer: uses: actions/checkout@ - Avoid: uses: actions/checkout@v4 (or @v5, @main, etc.) Operational guidance: - Ensure you pin every action reference you directly use; GitHub’s enforcement checks for a full commit SHA and will block unpinned uses. [1][2] - To update safely over time, update the SHA intentionally (e.g., via Dependabot/Renovate workflows that support GitHub Actions updates), rather than relying on mutable tags. GitHub’s secure use guidance notes tag use should only be used if you trust the creators, but commit SHA pinning is the stronger option. [1] Bottom line: For security hardening, “pin actions to full-length commit SHAs” is the current best practice, and GitHub provides policy enforcement so you can ensure this across workflows. [1][2]

Citations:

🌐 Web query:

GitHub Actions persist-credentials false security recommendation

💡 Result:

The persist-credentials: false setting in the GitHub Actions actions/checkout action is a security best practice recommended to prevent the automatic persistence of Git credentials (such as the GITHUB_TOKEN) into the local Git configuration of the runner [1][2]. When persist-credentials is set to its default value of true, the action configures the local Git environment with the authentication token, allowing subsequent steps in the same job to perform authenticated Git operations (like git push or git fetch) without needing to explicitly handle the token [3][4]. However, this also means that any code running in subsequent steps—including third-party actions—can potentially access these credentials [5][2]. Security Recommendations: 1. Use persist-credentials: false by default: Unless your workflow specifically requires performing authenticated Git operations (e.g., pushing commits back to the repository), you should set persist-credentials: false [2]. This minimizes the attack surface by ensuring credentials are not unnecessarily exposed to the environment [2]. 2. Mitigate Credential Exposure: If you must use persist-credentials: true, ensure that you are using the principle of least privilege by restricting the permissions of the GITHUB_TOKEN [5]. 3. Recent Improvements: Note that recent versions of actions/checkout have improved security by storing credentials in a separate file under $RUNNER_TEMP rather than directly in.git/config [3][6]. While this reduces the risk of accidental leakage (e.g., through artifact uploads), explicitly setting persist-credentials: false remains the recommended practice for hardening workflows [7][2]. If you disable credential persistence but still need to perform authenticated Git operations later in your workflow, you will need to manually configure the credentials (e.g., using git remote set-url or by passing the token explicitly to the relevant Git commands) [8].

Citations:

Pin checkout action to a commit SHA and disable credential persistence.

Line 17 uses mutable tag @v6 instead of a pinned commit SHA, and omits persist-credentials: false. Mutable tags create supply-chain risk; GitHub enforces SHA pinning through organization policies. Persisted credentials unnecessarily expose the token to subsequent steps.

Suggested patch 
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/rust.yml at line 17, Replace the mutable GitHub Action
reference "uses: actions/checkout@v6" with a pinned commit SHA for
actions/checkout and add the security option to disable token persistence by
setting "persist-credentials: false" in the checkout step; update the checkout
step (the line containing uses: actions/checkout@v6) to use the commit SHA for
the action and include the persist-credentials: false input so credentials
aren't exposed to later steps.


- name: Install Rust
uses: dtolnay/rust-toolchain@stable
Expand Down
Loading