Bump actions/checkout from 5 to 6 #5
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
dependabot
bot
added
the
dependencies
|
@copilot Please ensure that we are using commit sha for versioning, with the version number as a comment on the line for all actions and reusable workflows. For checkout, i also want to ensure we are not persisting credentials. |
|
@MariusStorhaug I've opened a new pull request, #6, to work on those changes. Once the pull request is ready, I'll request review from you. |
Dependabot bump of actions/checkout v5→v6, updated to use commit SHA pinning per repo conventions. ## Changes - **SHA pinning**: All actions now reference commit SHAs with version comments - **Security hardening**: Added `persist-credentials: false` to all `actions/checkout` usages - **Pinned super-linter**: Changed from `@latest` to specific v8 SHA ```yaml # Before uses: actions/checkout@v6 # After uses: actions/checkout@1af3b93 # v6 with: persist-credentials: false ``` | Action | SHA | |--------|-----| | actions/checkout | `1af3b93b...` (v6) | | PSModule/Auto-Release | `eabd5330...` (v1) | | super-linter/super-linter | `2bdd90ed...` (v8) | | PSModule/GitHub-Script | `4f9c58a2...` (v1) | <!-- START COPILOT CODING AGENT TIPS --> --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: MariusStorhaug <17722253+MariusStorhaug@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR upgrades actions/checkout from v5 to v6 and implements security best practices by pinning actions to commit SHAs and adding persist-credentials: false to prevent credential persistence. While titled as an actions/checkout bump, the changes also include pinning other actions (super-linter, PSModule/GitHub-Script, PSModule/Auto-Release) to specific commit hashes for improved supply chain security.
Key Changes:
- Upgraded
actions/checkoutfrom v5 to v6.0.0 (commit1af3b93) - Added
persist-credentials: falseto all checkout steps for enhanced security - Pinned all GitHub Actions to commit SHAs with version comments for traceability
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| action.yml | Pinned PSModule/GitHub-Script@v1 to commit SHA for security |
| .github/workflows/Linter.yml | Updated checkout to v6, added persist-credentials: false, and upgraded super-linter from latest to v8 with commit SHA pinning |
| .github/workflows/Auto-Release.yml | Updated checkout to v6, added persist-credentials: false, and pinned PSModule/Auto-Release@v1 to commit SHA |
| .github/workflows/Action-Test.yml | Updated checkout to v6 and added persist-credentials: false |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
MariusStorhaug
deleted the
dependabot/github_actions/actions/checkout-6
branch
Bumps actions/checkout from 5 to 6.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)