build(deps): bump actions/checkout from 6.0.2 to 6.0.3 by dependabot[bot] · Pull Request #174 · arkorlab/arkor

dependabot · 2026-06-05T19:44:00Z

Bumps actions/checkout from 6.0.2 to 6.0.3.

Release notes

Sourced from actions/checkout's releases.

v6.0.3

What's Changed

Update changelog by @ericsciple in actions/checkout#2357

fix: expand merge commit SHA regex and add SHA-256 test cases by @yaananth in actions/checkout#2414

Fix checkout init for SHA-256 repositories by @yaananth in actions/checkout#2439

Update changelog for v6.0.3 by @yaananth in actions/checkout#2446

New Contributors

@yaananth made their first contribution in actions/checkout#2414

Full Changelog: actions/checkout@v6...v6.0.3

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.3

Fix checkout init for SHA-256 repositories by @yaananth in actions/checkout#2439

fix: expand merge commit SHA regex and add SHA-256 test cases by @yaananth in actions/checkout#2414

v6.0.2

Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in actions/checkout#2356

v6.0.1

Add worktree support for persist-credentials includeIf by @ericsciple in actions/checkout#2327

v6.0.0

Persist creds to a separate file by @ericsciple in actions/checkout#2286

Update README to include Node.js 24 support details and requirements by @salmanmkc in actions/checkout#2248

v5.0.1

Port v6 cleanup to v5 by @ericsciple in actions/checkout#2301

v5.0.0

Update actions checkout to use node 24 by @salmanmkc in actions/checkout#2226

v4.3.1

Port v6 cleanup to v4 by @ericsciple in actions/checkout#2305

v4.3.0

docs: update README.md by @motss in actions/checkout#1971

Add internal repos for checking out multiple repositories by @mouismail in actions/checkout#1977

Documentation update - add recommended permissions to Readme by @benwells in actions/checkout#2043

Adjust positioning of user email note and permissions heading by @joshmgross in actions/checkout#2044

Update README.md by @nebuk89 in actions/checkout#2194

Update CODEOWNERS for actions by @TingluoHuang in actions/checkout#2224

Update package dependencies by @salmanmkc in actions/checkout#2236

v4.2.2

url-helper.ts now leverages well-known environment variables by @jww3 in actions/checkout#1941

Expand unit test coverage for isGhes by @jww3 in actions/checkout#1946

v4.2.1

Check out other refs/* by commit if provided, fall back to ref by @orhantoy in actions/checkout#1924

v4.2.0

Add Ref and Commit outputs by @lucacome in actions/checkout#1180

Dependency updates by @dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

Bump the minor-npm-dependencies group across 1 directory with 4 updates by @dependabot in actions/checkout#1739

Bump actions/checkout from 3 to 4 by @dependabot in actions/checkout#1697

Check out other refs/* by commit by @orhantoy in actions/checkout#1774

... (truncated)

Commits

df4cb1c Update changelog for v6.0.3 (#2446)
1cce339 Fix checkout init for SHA-256 repositories (#2439)
900f221 fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)
0c366fd Update changelog (#2357)
See full diff in compare view

Summary by CodeRabbit

Chores
- Updated build and deployment infrastructure components to their latest versions.

github-code-quality · 2026-06-05T19:45:55Z

Code Coverage Overview

Languages: TypeScript

TypeScript / code-coverage/arkor

The overall coverage remains at 99%, unchanged from the main branch.

TypeScript / code-coverage/create-arkor

The overall coverage remains at 56%, unchanged from the main branch.

TypeScript / code-coverage/cli-internal

The overall coverage remains at 97%, unchanged from the main branch.

TypeScript / code-coverage/studio-app

The overall coverage remains at 53%, unchanged from the main branch.

_{Updated June 08, 2026 10:57 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.}

codecov · 2026-06-05T19:46:03Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

k-taro56 · 2026-06-07T15:31:36Z

@coderabbitai full review

coderabbitai · 2026-06-07T15:31:44Z

✅ Action performed

Full review finished.

coderabbitai · 2026-06-07T15:31:50Z

Walkthrough

Four GitHub Actions workflows now pin actions/checkout to the v6.0.3 commit instead of v6.0.2; the changes are limited to the checkout pins in build, CI (three jobs), and release (preflight/test) workflows with no other logic modified.

Changes

GitHub Actions checkout upgrade

Layer / File(s)	Summary
Update actions/checkout to v6.0.3 across all workflows `.github/workflows/build.yaml`, `.github/workflows/ci.yaml`, `.github/workflows/release-dry-run.yaml`, `.github/workflows/release.yaml`	Updated `actions/checkout` pin from v6.0.2 to v6.0.3 in the build job, CI jobs (build, install-matrix, coverage), and release jobs (preflight, test) across the listed workflow files. No other steps, job structure, or configuration were changed.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping the actions/checkout dependency from v6.0.2 to v6.0.3 across all workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch dependabot/github_actions/actions/checkout-6.0.3

✨ Simplify code

Create PR with simplified code
Commit simplified code in branch dependabot/github_actions/actions/checkout-6.0.3

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yaml:
- Line 42: The checkout step using "uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" should disable
credential persistence; update that step to add the option persist-credentials:
false so the workflow token is not written into git config (keep the same pinned
action version and add this single key under that checkout step).

In @.github/workflows/ci.yaml:
- Line 57: The checkout steps are leaving credentials persisted; for every
occurrence of the actions/checkout usage (e.g., the occurrences with "uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" and the other two
actions/checkout@... entries in the CI workflow), add a "with:
persist-credentials: false" block to each checkout step so the checkout action
does not leave credentials for subsequent steps; update each actions/checkout
step (the three uses: actions/checkout@... entries) to include that with
setting.

In @.github/workflows/release-dry-run.yaml:
- Around line 49-51: The checkout steps using "uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" are missing the
security setting to avoid persisting credentials; update both checkout actions
in the workflow to include "persist-credentials: false" under their existing
with: block (keeping fetch-depth: 0) so credentials are not retained beyond the
step.

In @.github/workflows/release.yaml:
- Around line 55-57: The actions/checkout steps currently omit
persist-credentials which leaves workflow git credentials persisted; update both
checkout steps that use "uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" (and the second
checkout later in the file) to include persist-credentials: false in their with:
block so runner-local git credentials are not stored after the job completes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: bf1ec95f-3e79-4f9f-a173-43612508d2e5

📥 Commits

Reviewing files that changed from the base of the PR and between 2c9ff0c and a663f94.

📒 Files selected for processing (4)

.github/workflows/build.yaml
.github/workflows/ci.yaml
.github/workflows/release-dry-run.yaml
.github/workflows/release.yaml

📜 Review details

🧰 Additional context used

📓 Path-based instructions (3)

.github/workflows/*.yaml

📄 CodeRabbit inference engine (AGENTS.md)

Both Codecov and GitHub code coverage uploads must use fail-on-error: false so upstream outages don't redden CI

Files:

.github/workflows/release.yaml
.github/workflows/release-dry-run.yaml
.github/workflows/ci.yaml
.github/workflows/build.yaml

.github/workflows/release-dry-run.yaml

📄 CodeRabbit inference engine (AGENTS.md)

release-dry-run.yaml must regenerate SBOM formats on every tag push and assert specVersion/spdxVersion to catch pnpm sbom regressions

Files:

.github/workflows/release-dry-run.yaml

.github/workflows/build.yaml

📄 CodeRabbit inference engine (AGENTS.md)

.github/workflows/build.yaml: Release SBOMs use pnpm sbom --prod with both formats: CycloneDX 1.7 (sbom.cyclonedx.json) and SPDX 2.3 (sbom.spdx.json)
Keep SBOM generation inside the trusted builder (not in caller) so it reflects exact installed tree and is signed under builder identity

Files:

.github/workflows/build.yaml

🧠 Learnings (5)

📓 Common learnings

Learnt from: CR
Repo: arkorlab/arkor PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-31T12:13:14.928Z
Learning: Applies to .github/workflows/release-dry-run.yaml : release-dry-run.yaml must regenerate SBOM formats on every tag push and assert specVersion/spdxVersion to catch pnpm sbom regressions

📚 Learning: 2026-05-31T12:13:14.928Z

Learnt from: CR
Repo: arkorlab/arkor PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-31T12:13:14.928Z
Learning: Applies to .github/workflows/release-dry-run.yaml : release-dry-run.yaml must regenerate SBOM formats on every tag push and assert specVersion/spdxVersion to catch pnpm sbom regressions

Applied to files:

.github/workflows/release-dry-run.yaml
.github/workflows/ci.yaml
.github/workflows/build.yaml

📚 Learning: 2026-05-31T12:13:14.928Z

Learnt from: CR
Repo: arkorlab/arkor PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-31T12:13:14.928Z
Learning: Applies to .github/workflows/build.yaml : Release SBOMs use pnpm sbom --prod with both formats: CycloneDX 1.7 (sbom.cyclonedx.json) and SPDX 2.3 (sbom.spdx.json)

Applied to files:

.github/workflows/ci.yaml
.github/workflows/build.yaml

📚 Learning: 2026-05-31T12:13:14.928Z

Learnt from: CR
Repo: arkorlab/arkor PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-31T12:13:14.928Z
Learning: Applies to pnpm-workspace.yaml : allowBuilds in pnpm-workspace.yaml must explicitly approve rolldown, unrs-resolver, esbuild (true) and deny keytar, puppeteer, sharp (false)

Applied to files:

.github/workflows/ci.yaml

📚 Learning: 2026-05-31T12:13:14.928Z

Learnt from: CR
Repo: arkorlab/arkor PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-31T12:13:14.928Z
Learning: Applies to packages/{arkor,create-arkor}/package.json : Published packages declare engines.node >=22.22.0 to dodge Jan 2026 async-hooks CVE

Applied to files:

.github/workflows/ci.yaml

🪛 zizmor (1.25.2)

.github/workflows/release.yaml

[warning] 55-67: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[warning] 159-161: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

.github/workflows/release-dry-run.yaml

[warning] 49-61: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[warning] 156-158: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

.github/workflows/ci.yaml

[warning] 57-68: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[warning] 291-300: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[warning] 489-491: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

.github/workflows/build.yaml

[warning] 42-42: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

k-taro56 · 2026-06-08T10:54:18Z

@dependabot rebase

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yaml:
- Around line 55-58: The workflow pins actions/checkout to v6.0.3 but uses a
mismatched SHA (df4cb1c0...), causing the tag/sha comment to be wrong; update
the pinned SHA to the actual commit for v6.0.3
(9f698171ed81b15d1823a05fc7211befd50c8ae0) or change the tag/comment to match
the current SHA so the actions/checkout@v6.0.3 reference is consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 76aea077-185e-4c72-aef1-d3d18bf9593c

📥 Commits

Reviewing files that changed from the base of the PR and between a663f94 and 87545ba.

📒 Files selected for processing (4)

.github/workflows/build.yaml
.github/workflows/ci.yaml
.github/workflows/release-dry-run.yaml
.github/workflows/release.yaml

📜 Review details

⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (141)

GitHub Check: typecheck · lint · test · build · macos-latest · node >=22.22.0 <23
GitHub Check: typecheck · lint · test · build · macos-latest · node >=24.0.0 <24.1.0
GitHub Check: typecheck · lint · test · build · macos-latest · node 22.22.0
GitHub Check: typecheck · lint · test · build · macos-latest · node >=26.0.0 <27
GitHub Check: typecheck · lint · test · build · macos-latest · node >=24.10.0 <24.12.0
GitHub Check: typecheck · lint · test · build · macos-latest · node >=24.5.0 <24.8.0
GitHub Check: typecheck · lint · test · build · windows-latest · node >=24.10.0 <24.12.0
GitHub Check: typecheck · lint · test · build · windows-latest · node 22.22.0
GitHub Check: typecheck · lint · test · build · macos-latest · node >=24.12.0 <25
GitHub Check: typecheck · lint · test · build · windows-latest · node >=24.8.0 <24.10.0
GitHub Check: typecheck · lint · test · build · macos-latest · node 24.12.0
GitHub Check: typecheck · lint · test · build · windows-latest · node 24.12.0
GitHub Check: typecheck · lint · test · build · windows-latest · node >=24.12.0 <25
GitHub Check: typecheck · lint · test · build · macos-latest · node >=24.8.0 <24.10.0
GitHub Check: typecheck · lint · test · build · windows-latest · node >=24.3.0 <24.5.0
GitHub Check: typecheck · lint · test · build · windows-latest · node >=26.0.0 <27
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node 22.22.0
GitHub Check: typecheck · lint · test · build · windows-latest · node >=24.0.0 <24.1.0
GitHub Check: typecheck · lint · test · build · macos-latest · node >=24.1.0 <24.3.0
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=24.8.0 <24.10.0
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node 26.0.0
GitHub Check: typecheck · lint · test · build · windows-latest · node >=24.5.0 <24.8.0
GitHub Check: typecheck · lint · test · build · windows-latest · node 26.0.0
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node 24.12.0
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=24.10.0 <24.12.0
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=22.22.0 <23
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=24.1.0 <24.3.0
GitHub Check: typecheck · lint · test · build · windows-latest · node >=22.22.0 <23
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=24.5.0 <24.8.0
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=24.3.0 <24.5.0
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=24.12.0 <25
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=24.0.0 <24.1.0
GitHub Check: install · yarn · macos-latest · node 24.12.0
GitHub Check: install · pnpm-10 · windows-latest · node 26.0.0
GitHub Check: install · bun · macos-latest · node 24.12.0
GitHub Check: install · npm · macos-latest · node 24.0.0
GitHub Check: install · pnpm-10 · macos-latest · node 24.0.0
GitHub Check: install · yarn · macos-latest · node 24.0.0
GitHub Check: install · npm · macos-latest · node >=22.22.0 <23
GitHub Check: install · pnpm-10 · macos-latest · node 22.22.0
GitHub Check: install · pnpm-10 · macos-latest · node >=22.22.0 <23
GitHub Check: install · npm · windows-latest · node 26.0.0
GitHub Check: install · yarn · windows-latest · node >=24.12.0 <25
GitHub Check: install · npm · windows-latest · node >=24.12.0 <25
GitHub Check: install · npm · windows-latest · node 24.0.0
GitHub Check: install · pnpm-10 · windows-latest · node 24.12.0
GitHub Check: install · yarn · windows-latest · node 24.0.0
GitHub Check: coverage · upload to Codecov
GitHub Check: install · yarn · windows-latest · node 22.22.0
GitHub Check: install · bun · windows-latest · node >=22.22.0 <23
GitHub Check: install · bun · windows-latest · node 22.22.0
GitHub Check: install · pnpm-10 · windows-latest · node >=22.22.0 <23
GitHub Check: install · npm · windows-latest · node >=22.22.0 <23
GitHub Check: install · pnpm-9 · windows-latest · node 24.0.0
GitHub Check: install · yarn · ubuntu-latest · node >=26.0.0 <27
GitHub Check: install · pnpm-11 · windows-latest · node >=22.22.0 <23
GitHub Check: install · pnpm-11 · windows-latest · node 22.22.0
GitHub Check: install · pnpm-9 · windows-latest · node >=22.22.0 <23
GitHub Check: install · pnpm-10 · windows-latest · node 22.22.0
GitHub Check: install · pnpm-9 · windows-latest · node 22.22.0
GitHub Check: install · yarn-berry · windows-latest · node >=22.22.0 <23
GitHub Check: install · yarn · windows-latest · node >=22.22.0 <23
GitHub Check: install · pnpm-9 · ubuntu-latest · node >=26.0.0 <27
GitHub Check: install · npm · windows-latest · node 22.22.0
GitHub Check: install · yarn-berry · windows-latest · node 22.22.0
GitHub Check: install · pnpm-10 · ubuntu-latest · node >=26.0.0 <27
GitHub Check: install · npm · ubuntu-latest · node >=24.12.0 <25
GitHub Check: install · bun · ubuntu-latest · node >=26.0.0 <27
GitHub Check: install · yarn-berry · ubuntu-latest · node >=26.0.0 <27
GitHub Check: install · bun · ubuntu-latest · node 26.0.0
GitHub Check: install · pnpm-11 · ubuntu-latest · node >=26.0.0 <27
GitHub Check: install · yarn · ubuntu-latest · node 22.22.0
GitHub Check: install · yarn-berry · ubuntu-latest · node 26.0.0
GitHub Check: install · npm · ubuntu-latest · node >=26.0.0 <27
GitHub Check: install · pnpm-10 · ubuntu-latest · node 24.12.0
GitHub Check: install · bun · ubuntu-latest · node >=24.12.0 <25
GitHub Check: install · yarn · ubuntu-latest · node 26.0.0
GitHub Check: install · bun · ubuntu-latest · node >=22.22.0 <23
GitHub Check: install · pnpm-10 · ubuntu-latest · node 26.0.0
GitHub Check: install · pnpm-11 · ubuntu-latest · node 26.0.0
GitHub Check: install · pnpm-9 · ubuntu-latest · node >=24.12.0 <25
GitHub Check: install · npm · ubuntu-latest · node 26.0.0
GitHub Check: install · yarn-berry · ubuntu-latest · node >=24.12.0 <25
GitHub Check: install · bun · ubuntu-latest · node 24.12.0
GitHub Check: install · pnpm-10 · ubuntu-latest · node >=24.12.0 <25
GitHub Check: install · npm · ubuntu-latest · node 24.0.0
GitHub Check: install · yarn · ubuntu-latest · node 24.12.0
GitHub Check: install · yarn · ubuntu-latest · node >=24.12.0 <25
GitHub Check: install · pnpm-11 · ubuntu-latest · node 24.0.0
GitHub Check: install · pnpm-11 · ubuntu-latest · node 24.12.0
GitHub Check: install · yarn-berry · ubuntu-latest · node 24.12.0
GitHub Check: install · pnpm-9 · ubuntu-latest · node 24.12.0
GitHub Check: install · yarn-berry · ubuntu-latest · node 24.0.0
GitHub Check: install · pnpm-10 · ubuntu-latest · node 24.0.0
GitHub Check: install · bun · ubuntu-latest · node 24.0.0
GitHub Check: install · pnpm-9 · ubuntu-latest · node 24.0.0
GitHub Check: install · pnpm-9 · ubuntu-latest · node 22.22.0
GitHub Check: install · yarn · ubuntu-latest · node 24.0.0
GitHub Check: install · pnpm-9 · ubuntu-latest · node >=22.22.0 <23
GitHub Check: install · yarn · ubuntu-latest · node >=22.22.0 <23
GitHub Check: install · yarn-berry · ubuntu-latest · node 22.22.0
GitHub Check: install · bun · ubuntu-latest · node 22.22.0
GitHub Check: install · pnpm-10 · ubuntu-latest · node >=22.22.0 <23
GitHub Check: install · pnpm-11 · ubuntu-latest · node 22.22.0
GitHub Check: install · pnpm-10 · ubuntu-latest · node 22.22.0
GitHub Check: install · npm · ubuntu-latest · node 22.22.0
GitHub Check: typecheck · lint · test · build · macos-latest · node >=24.3.0 <24.5.0
GitHub Check: typecheck · lint · test · build · windows-latest · node >=24.0.0 <24.1.0
GitHub Check: typecheck · lint · test · build · macos-latest · node >=24.10.0 <24.12.0
GitHub Check: typecheck · lint · test · build · windows-latest · node >=24.12.0 <25
GitHub Check: typecheck · lint · test · build · macos-latest · node >=22.22.0 <23
GitHub Check: typecheck · lint · test · build · windows-latest · node 24.12.0
GitHub Check: typecheck · lint · test · build · macos-latest · node >=26.0.0 <27
GitHub Check: typecheck · lint · test · build · macos-latest · node >=24.0.0 <24.1.0
GitHub Check: typecheck · lint · test · build · macos-latest · node 22.22.0
GitHub Check: typecheck · lint · test · build · macos-latest · node 24.12.0
GitHub Check: typecheck · lint · test · build · windows-latest · node >=24.1.0 <24.3.0
GitHub Check: typecheck · lint · test · build · windows-latest · node >=24.10.0 <24.12.0
GitHub Check: typecheck · lint · test · build · macos-latest · node 26.0.0
GitHub Check: typecheck · lint · test · build · windows-latest · node >=24.3.0 <24.5.0
GitHub Check: typecheck · lint · test · build · macos-latest · node >=24.5.0 <24.8.0
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=24.10.0 <24.12.0
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node 24.12.0
GitHub Check: typecheck · lint · test · build · macos-latest · node >=24.12.0 <25
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=24.1.0 <24.3.0
GitHub Check: typecheck · lint · test · build · windows-latest · node >=26.0.0 <27
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=26.0.0 <27
GitHub Check: typecheck · lint · test · build · windows-latest · node >=24.5.0 <24.8.0
GitHub Check: typecheck · lint · test · build · windows-latest · node >=24.8.0 <24.10.0
GitHub Check: typecheck · lint · test · build · windows-latest · node 22.22.0
GitHub Check: typecheck · lint · test · build · windows-latest · node 26.0.0
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=22.22.0 <23
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node 22.22.0
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=24.12.0 <25
GitHub Check: typecheck · lint · test · build · windows-latest · node >=22.22.0 <23
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node 26.0.0
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=24.0.0 <24.1.0
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=24.8.0 <24.10.0
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=24.5.0 <24.8.0
GitHub Check: typecheck · lint · test · build · ubuntu-latest · node >=24.3.0 <24.5.0
GitHub Check: coverage · upload to Codecov

🧰 Additional context used

📓 Path-based instructions (3)

.github/workflows/*.yaml

📄 CodeRabbit inference engine (AGENTS.md)

Both Codecov and GitHub code coverage uploads must use fail-on-error: false so upstream outages don't redden CI

Files:

.github/workflows/build.yaml
.github/workflows/release.yaml
.github/workflows/ci.yaml
.github/workflows/release-dry-run.yaml

.github/workflows/build.yaml

📄 CodeRabbit inference engine (AGENTS.md)

.github/workflows/build.yaml: Release SBOMs use pnpm sbom --prod with both formats: CycloneDX 1.7 (sbom.cyclonedx.json) and SPDX 2.3 (sbom.spdx.json)
Keep SBOM generation inside the trusted builder (not in caller) so it reflects exact installed tree and is signed under builder identity

Files:

.github/workflows/build.yaml

.github/workflows/release-dry-run.yaml

📄 CodeRabbit inference engine (AGENTS.md)

release-dry-run.yaml must regenerate SBOM formats on every tag push and assert specVersion/spdxVersion to catch pnpm sbom regressions

Files:

.github/workflows/release-dry-run.yaml

🧠 Learnings (10)

📚 Learning: 2026-05-31T12:13:14.928Z

Learnt from: CR
Repo: arkorlab/arkor PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-31T12:13:14.928Z
Learning: Applies to .github/workflows/build.yaml : Keep SBOM generation inside the trusted builder (not in caller) so it reflects exact installed tree and is signed under builder identity

Applied to files:

.github/workflows/build.yaml
.github/workflows/release-dry-run.yaml

📚 Learning: 2026-05-31T12:13:14.928Z

Learnt from: CR
Repo: arkorlab/arkor PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-31T12:13:14.928Z
Learning: Applies to .github/workflows/release-dry-run.yaml : release-dry-run.yaml must regenerate SBOM formats on every tag push and assert specVersion/spdxVersion to catch pnpm sbom regressions

Applied to files:

.github/workflows/build.yaml
.github/workflows/release.yaml
.github/workflows/release-dry-run.yaml

📚 Learning: 2026-05-31T12:13:14.928Z

Learnt from: CR
Repo: arkorlab/arkor PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-31T12:13:14.928Z
Learning: Applies to .github/workflows/build.yaml : Release SBOMs use pnpm sbom --prod with both formats: CycloneDX 1.7 (sbom.cyclonedx.json) and SPDX 2.3 (sbom.spdx.json)

Applied to files:

.github/workflows/build.yaml
.github/workflows/release.yaml
.github/workflows/ci.yaml
.github/workflows/release-dry-run.yaml

📚 Learning: 2026-05-31T12:13:14.928Z

Learnt from: CR
Repo: arkorlab/arkor PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-31T12:13:14.928Z
Learning: Applies to .github/workflows/*.yaml : Both Codecov and GitHub code coverage uploads must use fail-on-error: false so upstream outages don't redden CI

Applied to files:

.github/workflows/build.yaml
.github/workflows/release.yaml
.github/workflows/ci.yaml
.github/workflows/release-dry-run.yaml

📚 Learning: 2026-06-08T10:51:57.585Z

Learnt from: CR
Repo: arkorlab/arkor PR: 0
File: CONTRIBUTING.md:0-0
Timestamp: 2026-06-08T10:51:57.585Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : Use Node.js 24 (preferably the latest) and pnpm 11.0+ for development

Applied to files:

.github/workflows/ci.yaml

📚 Learning: 2026-06-08T10:52:09.897Z

Learnt from: CR
Repo: arkorlab/arkor PR: 0
File: CONTRIBUTING.ja.md:0-0
Timestamp: 2026-06-08T10:52:09.897Z
Learning: Use Node.js 24 (preferably the latest version) and pnpm 11.0+ for development

Applied to files:

.github/workflows/ci.yaml

📚 Learning: 2026-05-31T12:13:14.928Z

Learnt from: CR
Repo: arkorlab/arkor PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-31T12:13:14.928Z
Learning: Applies to pnpm-workspace.yaml : allowBuilds in pnpm-workspace.yaml must explicitly approve rolldown, unrs-resolver, esbuild (true) and deny keytar, puppeteer, sharp (false)

Applied to files:

.github/workflows/ci.yaml

📚 Learning: 2026-05-31T12:13:14.928Z

Learnt from: CR
Repo: arkorlab/arkor PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-31T12:13:14.928Z
Learning: Applies to packages/{arkor,create-arkor}/package.json : Published packages declare engines.node >=22.22.0 to dodge Jan 2026 async-hooks CVE

Applied to files:

.github/workflows/ci.yaml

📚 Learning: 2026-06-08T10:52:09.897Z

Learnt from: CR
Repo: arkorlab/arkor PR: 0
File: CONTRIBUTING.ja.md:0-0
Timestamp: 2026-06-08T10:52:09.897Z
Learning: Applies to packages/create-arkor/** : Include source maps for create-arkor coverage attribution

Applied to files:

.github/workflows/ci.yaml

📚 Learning: 2026-05-31T12:13:14.928Z

Learnt from: CR
Repo: arkorlab/arkor PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-31T12:13:14.928Z
Learning: e2e/cli is intentionally excluded from GitHub native code coverage upload; Codecov lcov is the source of truth until c8 ↔ cobertura is resolved

Applied to files:

.github/workflows/ci.yaml

🔇 Additional comments (8)

.github/workflows/build.yaml (1)

42-44: LGTM!

.github/workflows/ci.yaml (3)

57-59: LGTM!

293-295: LGTM!

493-495: LGTM!

.github/workflows/release-dry-run.yaml (2)

49-52: LGTM!

157-160: LGTM!

.github/workflows/release.yaml (2)

55-58: LGTM!

160-163: LGTM!

k-taro56 · 2026-06-08T13:54:25Z

@coderabbitai resolve

coderabbitai · 2026-06-08T13:54:37Z

✅ Action performed

Comments resolved and changes approved.

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 5, 2026

k-taro56 approved these changes Jun 7, 2026

View reviewed changes

coderabbitai Bot requested changes Jun 7, 2026

View reviewed changes

Comment thread .github/workflows/build.yaml

Comment thread .github/workflows/ci.yaml

Comment thread .github/workflows/release-dry-run.yaml

Comment thread .github/workflows/release.yaml

dependabot Bot force-pushed the dependabot/github_actions/actions/checkout-6.0.3 branch from a663f94 to 87545ba Compare June 8, 2026 10:55

coderabbitai Bot requested changes Jun 8, 2026

View reviewed changes

Comment thread .github/workflows/release.yaml

coderabbitai Bot approved these changes Jun 8, 2026

View reviewed changes

k-taro56 merged commit f275d2c into main Jun 8, 2026
557 of 558 checks passed

k-taro56 deleted the dependabot/github_actions/actions/checkout-6.0.3 branch June 8, 2026 13:55

Conversation

dependabot Bot commented on behalf of github Jun 5, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v6.0.3

What's Changed

New Contributors

Changelog

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

Summary by CodeRabbit

Uh oh!

github-code-quality Bot commented Jun 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Coverage Overview

TypeScript / code-coverage/arkor

TypeScript / code-coverage/create-arkor

TypeScript / code-coverage/cli-internal

TypeScript / code-coverage/studio-app

Uh oh!

codecov Bot commented Jun 5, 2026

Codecov Report

Uh oh!

k-taro56 commented Jun 7, 2026

Uh oh!

coderabbitai Bot commented Jun 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai Bot commented Jun 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

k-taro56 commented Jun 8, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

k-taro56 commented Jun 8, 2026

Uh oh!

coderabbitai Bot commented Jun 8, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github Jun 5, 2026 •

edited by coderabbitai Bot

Loading

github-code-quality Bot commented Jun 5, 2026 •

edited

Loading

coderabbitai Bot commented Jun 7, 2026 •

edited

Loading

coderabbitai Bot commented Jun 7, 2026 •

edited

Loading