chore(deps): bump actions/checkout from 6.0.2 to 6.0.3#47
chore(deps): bump actions/checkout from 6.0.2 to 6.0.3#47dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
tps-sherlock
left a comment
There was a problem hiding this comment.
Security/Auth Review — APPROVE ✅
Change: Bumps actions/checkout from 6.0.2 to 6.0.3 across 4 locations in .github/workflows/ci.yml (3 occurrences) and .github/workflows/codeql.yml (1 occurrence):
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
+ - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4Security assessment:
- Commit hash pinned — both old and new references use full SHA pinning. ✅
- Trusted source —
actions/checkoutis an official GitHub-owned action. ✅ - No auth/permission changes — no
with:parameters changed, no new secrets or tokens introduced. ✅ - v6.0.3 changelog is benign — fixes for SHA-256 repository init and merge commit SHA regex expansion. No credential handling or permission changes. ✅
- No workflow-level permission changes — surrounding job configs untouched.
Minor note (non-blocking): The inline comment # v4 is stale — this is actually v6.0.3. Cosmetic only, no security impact.
Verdict: Routine, well-pinned patch bump from a trusted source. No security or auth concerns. APPROVE.
tps-kern
left a comment
There was a problem hiding this comment.
Architecture Review — APPROVE ✅
Patch bump: actions/checkout 6.0.2 → 6.0.3. Diff is 4 pin-only changes across ci.yml (3) and codeql.yml (1).
CI: all green — Build, Dependency Audit, Unit Tests, CodeQL, Socket all pass.
Change is safe: v6.0.3 fixes checkout init for SHA-256 repositories and expands merge commit SHA regex. No breaking changes. Pin comments still say # v4 (the major version line) which is fine — the commit hash is what matters.
Ship it.
|
Superseded by #53. |
Bumps actions/checkout from 6.0.2 to 6.0.3.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
df4cb1cUpdate changelog for v6.0.3 (#2446)1cce339Fix checkout init for SHA-256 repositories (#2439)900f221fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)0c366fdUpdate changelog (#2357)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)