Skip to content

chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
satyakwok merged 1 commit into from
May 23, 2026
Merged

chore(deps): bump actions/checkout from 4.3.1 to 6.0.2 #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/cargo-deny.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
name: cargo-deny (licenses + advisories + bans)
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: EmbarkStudios/cargo-deny-action@6c8f9facfa5047ec02d8485b6bf52b587b7777d1 # v2
with:
command: check
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
name: cargo build (native + wasm32) + clippy + fmt
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v6.0.2
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the commit SHA for actions/checkout v6.0.2 and locate mutable pins in workflows.
set -euo pipefail

echo "Resolved commit SHA for actions/checkout v6.0.2:"
gh api /repos/actions/checkout/tags --paginate --jq '.[] | select(.name=="v6.0.2") | .commit.sha'

echo
echo "Checkout references in workflow files:"
rg -nP 'uses:\s*actions/checkout@' .github/workflows

Repository: Sentriscloud/sentrix-grpc-wasm

Length of output: 884

Pin actions/checkout to a resolved commit SHA instead of the v6.0.2 tag.

Lines 17 and 40 in ci.yml use a mutable tag reference, which violates supply-chain security best practices. Pin to the resolved commit SHA.

Suggested fix 
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Also applies to: Line 40

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 17, The workflow uses a mutable tag for
actions/checkout ("actions/checkout@v6.0.2") which should be pinned to a
resolved commit SHA for supply-chain security; update both occurrences (the one
at line 17 and the one at line 40 referenced in the comment) to the specific
commit SHA that corresponds to v6.0.2 (replace "actions/checkout@v6.0.2" with
"actions/checkout@<resolved-commit-sha>") so the workflow references an
immutable commit instead of a tag.

Copy link
Copy Markdown
Member

@satyakwok satyakwok May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 17, The workflow uses a mutable tag for
actions/checkout ("actions/checkout@v6.0.2") which should be pinned to a
resolved commit SHA for supply-chain security; update both occurrences (the one
at line 17 and the one at line 40 referenced in the comment) to the specific
commit SHA that corresponds to v6.0.2 (replace "actions/checkout@v6.0.2" with
"actions/checkout@") so the workflow references an
immutable commit instead of a tag.

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Resolved commit SHA for actions/checkout v6.0.2 ==="
gh api /repos/actions/checkout/tags --paginate --jq '.[] | select(.name=="v6.0.2") | .commit.sha'

echo
echo "=== All actions/checkout references in workflow files ==="
rg -nP 'uses:\s*actions/checkout@' .github/workflows/

Length of output: 836

@satyakwok The resolved commit SHA for actions/checkout@v6.0.2 is de0fac2e4500dabe0009e67214ff5f5447ce83dd.

Findings:

  • ✅ Already correctly pinned: cargo-deny.yml, commitlint.yml, dependency-review.yml, link-check.yml
  • ❌ Still using mutable tag @v6.0.2: ci.yml (lines 17 & 40) and gitleaks.yml (line 32)

Here are the fixes needed:

  • Pin ci.yml lines 17 and 40 to the resolved commit SHA
  • Pin gitleaks.yml line 32 to the resolved commit SHA
🧠 Learnings used 
Learnt from: satyakwok
Repo: Sentriscloud/sentrix-grpc-wasm PR: 16
File: .github/workflows/commitlint.yml:16-16
Timestamp: 2026-05-13T17:32:01.876Z
Learning: When pinning GitHub Actions to a SHA in workflow YAML (e.g., `uses: <owner>/<repo>@<sha>`), pin to the **commit SHA** that the tag resolves to—not the SHA of the annotated tag object. For annotated tags, `gh api /repos/<owner>/<repo>/git/refs/tags/<tag>` returns the tag-object SHA (incorrect for `uses@<sha>` pinning). Instead, obtain the commit SHA with `gh api /repos/<owner>/<repo>/tags --jq '.[] | select(.name=="<tag>") | .commit.sha'` and pin to that value. GitHub Actions resolves `uses@<sha>` at runtime to the commit, so the pinned SHA must match the resolved commit SHA.
  • 📌 Commit the changes to this branch

- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
with:
components: clippy, rustfmt
Expand All @@ -37,7 +37,7 @@ jobs:
name: gitleaks (secret scan)
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v6.0.2
with:
fetch-depth: 0
- name: Install gitleaks
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/commitlint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
name: commitlint
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
name: Dependency review
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/gitleaks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:
name: gitleaks (secret scan)
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v6.0.2
Comment thread
satyakwok marked this conversation as resolved.
with:
fetch-depth: 0 # full history so commit-range scan covers the whole tree
- name: Install gitleaks
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/link-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Run lychee
uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0
Expand Down
Loading