Skip to content

ci(actions): bump actions/checkout from 4 to 6#91

Merged
adm01-debug merged 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-6
May 9, 2026
Merged

ci(actions): bump actions/checkout from 4 to 6#91
adm01-debug merged 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 4, 2026
edited
Loading

Bumps actions/checkout from 4 to 6.

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

... (truncated)

Commits

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 4, 2026

Labels

The following labels could not be found: automated, ci. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 4, 2026
edited
Loading

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Warning

.coderabbit.yaml has a parsing error

The CodeRabbit configuration file in this repository has a parsing error and default settings were used instead. Please fix the error(s) in the configuration file. You can initialize chat with CodeRabbit to get help with the configuration file.

💥 Parsing errors (1) 
Validation error: String must contain at most 250 character(s) at "tone_instructions"
⚙️ Configuration instructions
  • Please see the configuration documentation for more information.
  • You can also validate your configuration using the online YAML validator.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
📝 Walkthrough

Walkthrough

Three GitHub Actions workflow files were updated to use actions/checkout@v6 instead of actions/checkout@v4. The changes apply to the branch protection, CodeQL, and security workflows. No workflow logic, conditions, or behavior was modified.

Changes

Workflow CI Upgrades

Layer / File(s) Summary
Checkout Action Version Bump
.github/workflows/branch-protection-sentinel.yml, .github/workflows/codeql.yml, .github/workflows/security.yml		 All three workflows updated their checkout step from actions/checkout@v4 to actions/checkout@v6 for consistent action versioning across CI jobs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Three workflows leap and bound,
From v4 to v6, a hop profound,
Actions upgraded, clean and bright,
GitHub flows now run just right! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning A descrição do PR não segue o template de descrição requerido do repositório. O PR contém apenas as notas de versão automáticas do Dependabot, sem as seções obrigatórias do template (Descrição, Tipo de mudança, Issue relacionada, Checklist, Como testar, etc.). Preencha o PR description seguindo o template obrigatório: adicione uma descrição clara da mudança, selecione o tipo de mudança (neste caso, provavelmente 'Refatoração' ou 'Segurança'), inclua a checklist completa com itens validados, e adicione notas para o reviewer conforme necessário.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The PR title clearly and concisely summarizes the main change: bumping the GitHub Action version.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/checkout-6 branch 2 times, most recently from d0e1c61 to 2efe60a Compare May 6, 2026 21:06
coderabbitai[bot]
coderabbitai Bot reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/security-compliance.yml (1)

18-18: ⚡ Quick win

Pin actions/checkout to an immutable commit SHA.

Line 18 uses a mutable version tag (@v6). For supply-chain hardening, pin to the full commit SHA and keep the version in a comment:

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

Note: This pattern is used across multiple workflows in the repository and could be applied consistently.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security-compliance.yml at line 18, Replace the mutable
tag "actions/checkout@v6" with an immutable full commit SHA for supply-chain
hardening: update the uses entry to point to the action at a specific commit SHA
(e.g., actions/checkout@<full-commit-sha>) and keep the human-readable version
"v6" as a YAML comment for clarity; apply the same change everywhere the mutable
"@v6" tag is used so workflows consistently pin actions to immutable SHAs.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/security-compliance.yml:
- Line 18: Replace the mutable tag "actions/checkout@v6" with an immutable full
commit SHA for supply-chain hardening: update the uses entry to point to the
action at a specific commit SHA (e.g., actions/checkout@<full-commit-sha>) and
keep the human-readable version "v6" as a YAML comment for clarity; apply the
same change everywhere the mutable "@v6" tag is used so workflows consistently
pin actions to immutable SHAs.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 213c3d4b-35a7-4c14-8d70-e95b747c3f08

📥 Commits

Reviewing files that changed from the base of the PR and between d0e1c61 and 2efe60a.

📒 Files selected for processing (4)
  • .github/workflows/branch-protection-sentinel.yml
  • .github/workflows/codeql.yml
  • .github/workflows/security-compliance.yml
  • .github/workflows/security.yml

@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/checkout-6 branch from 2efe60a to 9a11716 Compare May 6, 2026 22:07
@adm01-debug Claude
Copy link
Copy Markdown
Owner

adm01-debug commented May 6, 2026

@coderabbitai full review

Generated by Claude Code

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 6, 2026

Tip

For best results, initiate chat on the files or code changes.

@adm01-debug Sure! I'll redo the full review of this PR right away.

[full_review]

@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/checkout-6 branch 4 times, most recently from ccc8a31 to bf77ce9 Compare May 7, 2026 01:22
This was referenced May 8, 2026
Closed
Closed
@adm01-debug
Copy link
Copy Markdown
Owner

adm01-debug commented May 8, 2026

🟡 Parecer técnico — RECOMENDADO MERGEAR (com nota)

Tipo: GitHub Action major (v4 → v6, pula v5)
Risco: Baixo
Categoria: Workflow/CI

actions/checkout é uma das Actions mais maduras e estáveis do GitHub. Mudanças entre v4 → v6 são quase sempre compatíveis com workflows existentes (subiram principalmente Node.js da Action runner: v4 = Node 20, v6 = Node 24). Não muda inputs/outputs públicos.

Diff: 3 arquivos workflow, 3 linhas (só bumps).

Verificações antes de mergear:

  • ✅ Checkar release notes v5.0.0 e v6.0.0
  • ✅ Ver se algum step do workflow depende de comportamento específico (ex: fetch-depth, submodules) — em regra continua igual

Bloqueio atual: mesmo do #93 — CI quebrado por env Supabase. Aguardar #101.

— Claude (housekeeping de PRs, 08/05/2026)

@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/checkout-6 branch from bf77ce9 to e7804f3 Compare May 9, 2026 12:31
@dependabot dependabot Bot requested a review from adm01-debug as a code owner May 9, 2026 12:31
@vercel
Copy link
Copy Markdown

vercel Bot commented May 9, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
promo-gifts Ready Ready Preview, Comment May 9, 2026 2:34pm

@dependabot @adm01-debug
ci(actions): bump actions/checkout from 4 to 6
b7b073b 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@adm01-debug adm01-debug force-pushed the dependabot/github_actions/actions/checkout-6 branch from e7804f3 to b7b073b Compare May 9, 2026 14:33
@adm01-debug adm01-debug mentioned this pull request May 9, 2026
Merged
5 tasks
@adm01-debug adm01-debug merged commit fec2601 into main May 9, 2026
13 of 14 checks passed
@dependabot dependabot Bot deleted the dependabot/github_actions/actions/checkout-6 branch May 9, 2026 14:50
This was referenced May 11, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@adm01-debug adm01-debug Awaiting requested review from adm01-debug adm01-debug is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adm01-debug