Skip to content

github: bump actions/checkout from 4 to 6 #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
danielorbach merged 1 commit into from
Dec 3, 2025
Merged

github: bump actions/checkout from 4 to 6 #20

danielorbach merged 1 commit into from
Dec 3, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 27, 2025
edited
Loading

Bumps actions/checkout from 4 to 6.

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

V6.0.0

V5.0.1

V5.0.0

V4.3.1

V4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

v4.1.5

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Nov 27, 2025

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot bot force-pushed the dependabot/github_actions/actions/checkout-6 branch 7 times, most recently from 11f02a2 to 52052d2 Compare December 2, 2025 20:19
@claude
Copy link

claude bot commented Dec 2, 2025

Review: actions/checkout v4 → v6 Update

I've reviewed this Dependabot PR to update actions/checkout from v4 to v6. Here's my analysis:

Key Changes in v6

  1. Node.js 24 Runtime: The action now uses Node.js 24
  2. Improved Credential Handling: Credentials are now persisted to a separate file under $RUNNER_TEMP instead of directly in .git/config for better security
  3. Minimum Runner Requirement: Requires Actions Runner v2.329.0 or later (v2.327.1 for v5 features)

Breaking Changes Analysis

Runner Version Requirement: The most significant requirement is that GitHub Actions runners must be updated to v2.329.0+. This is critical for:

  • Docker container actions that use authenticated git commands
  • Any workflows using persist-credentials feature

For GitHub-hosted runners, this is already satisfied. For self-hosted runners, you'll need to verify they meet this requirement.

Workflow Impact Assessment

Based on the PR diff, this update affects:

  1. .github/workflows/ci.yml (2 instances):

    • Updates from v5 → v6
    • Uses basic checkout without custom parameters
    • ✅ No changes needed

  2. .github/workflows/claude.yml (1 instance):

    • Updates from v4 → v6 (skipping v5)
    • Uses fetch-depth: 1 parameter
    • ✅ No changes needed

Migration Compatibility

Good news: According to the official documentation, "No workflow changes required — git fetch, git push, etc. continue to work automatically"

The workflows use standard checkout patterns without complex credential handling, so they should work seamlessly with v6.

Recommendation

This PR is safe to merge if:

  • You're using GitHub-hosted runners (they're already updated), OR
  • Your self-hosted runners are at version v2.329.0 or later

⚠️ Action required if:

  • You have self-hosted runners below v2.329.0 — update them first

References

@dependabot dependabot bot force-pushed the dependabot/github_actions/actions/checkout-6 branch from 52052d2 to 7a0de23 Compare December 2, 2025 23:56
@dependabot
github: bump actions/checkout from 4 to 6
f13852a 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/github_actions/actions/checkout-6 branch from 7a0de23 to f13852a Compare December 3, 2025 00:48
claude[bot]
claude bot reviewed Dec 3, 2025
View reviewed changes
Copy link

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review of actions/checkout v4 → v6 Upgrade

I've completed a comprehensive review of this Dependabot PR upgrading actions/checkout from v4 to v6. Here's my analysis:

📋 Summary of Changes

The PR updates actions/checkout in three workflow files:

  • ci.yml: 2 instances (test and lint jobs) - v5 → v6
  • claude.yml: 1 instance - v4 → v6
  • dependabot-automerge.yml: No usage of actions/checkout

🔍 Breaking Changes & Requirements

1. Minimum Runner Version Requirements

v5.0.0 Requirements:

  • Minimum runner version: v2.327.1 (released July 25, 2024)
  • Reason: Node.js 24 runtime support

v6.0.0 Additional Requirements:

  • Standard workflows: v2.327.1 (same as v5)
  • Docker container actions with authenticated git: v2.329.0 (released October 14, 2024)

Impact on this repository: ✅ GitHub-hosted runners are automatically updated, so no action needed.

2. Credential Handling Changes (v6.0.0)

What changed:

  • Credentials now persist in a separate file under $RUNNER_TEMP instead of directly in .git/config
  • Uses Git's includeIf mechanism for conditional credential inclusion
  • Improves security by isolating credentials from main Git config

Potential compatibility concerns:

  • Git worktrees: May not automatically inherit credentials (workaround: add includeIf rules for .git/worktrees/*)
  • Non-GitHub platforms (Forgejo, Gitea): Hardcoded GitHub paths may break authentication

Impact on this repository: ✅ No impact - workflows use standard checkout without worktrees or custom Git operations.

3. Runtime Updates

  • v5: Node.js 20 runtime
  • v6: Node.js 24 runtime

Impact: ✅ No workflow changes required - transparent upgrade.

🔎 Workflow Analysis

ci.yml (2 occurrences)

- name: Checkout code
  uses: actions/checkout@v5  # → v6
  • Parameters: None
  • Usage: Standard repository checkout for test and lint jobs
  • Compatibility: ✅ Fully compatible

claude.yml (1 occurrence)

- name: Checkout repository
  uses: actions/checkout@v4  # → v6
  with:
    fetch-depth: 1
  • Parameters: fetch-depth: 1 (shallow clone)
  • Usage: Repository checkout for Claude Code assistant workflow
  • Compatibility: ✅ Fully compatible - fetch-depth parameter unchanged

✅ Recommendation

APPROVE this PR - The upgrade is safe to merge.

Reasoning:

  1. ✅ No breaking changes affecting this repository's workflows
  2. ✅ No custom Git operations or worktrees used
  3. ✅ GitHub-hosted runners meet minimum version requirements
  4. ✅ All checkout configurations are standard and well-supported
  5. ✅ Security improvements with new credential handling
  6. ✅ No workflow syntax changes required

Migration steps: None required - the PR can be merged as-is.

📚 Additional Resources

Reviewed by Claude Code 🤖

@danielorbach danielorbach mentioned this pull request Dec 3, 2025
Closed
@danielorbach danielorbach merged commit 5981705 into main Dec 3, 2025
5 checks passed
@danielorbach danielorbach deleted the dependabot/github_actions/actions/checkout-6 branch December 3, 2025 00:55
@danielorbach danielorbach added the dependencies Dependabot version/security updates label Dec 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

Assignees

No one assigned

Labels

dependencies Dependabot version/security updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danielorbach