chore(deps): bump actions/checkout from 4.3.1 to 6.0.2

[dependabot]

Bumps actions/checkout from 4.3.1 to 6.0.2.

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

• Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @​TingluoHuang in actions/checkout#2355
• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in actions/checkout#2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327
• Clarify v6 README by @​ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow configurations to use pinned versions across all automation pipelines.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR standardizes the pinned version of the actions/checkout GitHub Action across all workflow files in the repository. Six workflow files (.github/workflows/cargo-deny.yml, ci.yml, commitlint.yml, dependency-review.yml, gitleaks.yml, and link-check.yml) are updated to pin the checkout action to v6.0.2, replacing previous unpinned floating tags (v6) and older pinned versions (v4 and v5).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Sentriscloud/sentrix-grpc-wasm#16: Introduced several of these workflow files (cargo-deny.yml, dependency-review.yml, commitlint.yml) that are now being updated with consistent action pinning in this PR.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: upgrading actions/checkout from 4.3.1 to 6.0.2 across all workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/actions/checkout-6.0.2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 17: The workflow uses a mutable tag for actions/checkout
("actions/checkout@v6.0.2") which should be pinned to a resolved commit SHA for
supply-chain security; update both occurrences (the one at line 17 and the one
at line 40 referenced in the comment) to the specific commit SHA that
corresponds to v6.0.2 (replace "actions/checkout@v6.0.2" with
"actions/checkout@<resolved-commit-sha>") so the workflow references an
immutable commit instead of a tag.

In @.github/workflows/gitleaks.yml:
- Line 32: Replace the mutable tag for the actions/checkout step (currently
"actions/checkout@v6.0.2") with an immutable commit SHA to prevent supply-chain
risk; locate the workflow step that uses "actions/checkout" and change the
version reference to the full commit SHA of the v6.0.2 release (or the desired
release commit) so the action is pinned immutably.

🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 4ffce3ec-8c08-474f-8171-2a26fa651cfa

📥 Commits

Reviewing files that changed from the base of the PR and between 1f92d45 and a1f46af.

📒 Files selected for processing (6)

• .github/workflows/cargo-deny.yml
• .github/workflows/ci.yml
• .github/workflows/commitlint.yml
• .github/workflows/dependency-review.yml
• .github/workflows/gitleaks.yml
• .github/workflows/link-check.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the commit SHA for actions/checkout v6.0.2 and locate mutable pins in workflows.
set -euo pipefail

echo "Resolved commit SHA for actions/checkout v6.0.2:"
gh api /repos/actions/checkout/tags --paginate --jq '.[] | select(.name=="v6.0.2") | .commit.sha'

echo
echo "Checkout references in workflow files:"
rg -nP 'uses:\s*actions/checkout@' .github/workflows

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 884

---

Pin actions/checkout to a resolved commit SHA instead of the v6.0.2 tag.

Lines 17 and 40 in ci.yml use a mutable tag reference, which violates supply-chain security best practices. Pin to the resolved commit SHA.

Suggested fix

-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Also applies to: Line 40

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 17, The workflow uses a mutable tag for
actions/checkout ("actions/checkout@v6.0.2") which should be pinned to a
resolved commit SHA for supply-chain security; update both occurrences (the one
at line 17 and the one at line 40 referenced in the comment) to the specific
commit SHA that corresponds to v6.0.2 (replace "actions/checkout@v6.0.2" with
"actions/checkout@<resolved-commit-sha>") so the workflow references an
immutable commit instead of a tag.

[satyakwok]

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 17, The workflow uses a mutable tag for
actions/checkout ("actions/checkout@v6.0.2") which should be pinned to a
resolved commit SHA for supply-chain security; update both occurrences (the one
at line 17 and the one at line 40 referenced in the comment) to the specific
commit SHA that corresponds to v6.0.2 (replace "actions/checkout@v6.0.2" with
"actions/checkout@") so the workflow references an
immutable commit instead of a tag.

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Resolved commit SHA for actions/checkout v6.0.2 ==="
gh api /repos/actions/checkout/tags --paginate --jq '.[] | select(.name=="v6.0.2") | .commit.sha'

echo
echo "=== All actions/checkout references in workflow files ==="
rg -nP 'uses:\s*actions/checkout@' .github/workflows/

Length of output: 836

---

@satyakwok The resolved commit SHA for actions/checkout@v6.0.2 is de0fac2e4500dabe0009e67214ff5f5447ce83dd.

Findings:

• ✅ Already correctly pinned: cargo-deny.yml, commitlint.yml, dependency-review.yml, link-check.yml
• ❌ Still using mutable tag @v6.0.2: ci.yml (lines 17 & 40) and gitleaks.yml (line 32)

Here are the fixes needed:

• Pin ci.yml lines 17 and 40 to the resolved commit SHA
• Pin gitleaks.yml line 32 to the resolved commit SHA

---

🧠 Learnings used

Learnt from: satyakwok
Repo: Sentriscloud/sentrix-grpc-wasm PR: 16
File: .github/workflows/commitlint.yml:16-16
Timestamp: 2026-05-13T17:32:01.876Z
Learning: When pinning GitHub Actions to a SHA in workflow YAML (e.g., `uses: <owner>/<repo>@<sha>`), pin to the **commit SHA** that the tag resolves to—not the SHA of the annotated tag object. For annotated tags, `gh api /repos/<owner>/<repo>/git/refs/tags/<tag>` returns the tag-object SHA (incorrect for `uses@<sha>` pinning). Instead, obtain the commit SHA with `gh api /repos/<owner>/<repo>/tags --jq '.[] | select(.name=="<tag>") | .commit.sha'` and pin to that value. GitHub Actions resolves `uses@<sha>` at runtime to the commit, so the pinned SHA must match the resolved commit SHA.

---

• 📌 Commit the changes to this branch

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

An unexpected error occurred while generating fixes: Bad credentials - https://docs.github.com/rest