Skip to content

Bump actions/checkout from 5 to 6 #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Bump actions/checkout from 5 to 6 #50

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 27, 2025
edited
Loading

Bumps actions/checkout from 5 to 6.

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Full Changelog: actions/checkout@v5...v5.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

V6.0.0

V5.0.1

V5.0.0

V4.3.1

V4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

v4.1.5

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Nov 27, 2025
@austenstone
Copy link
Owner

austenstone commented Nov 28, 2025

📋 Summary

This is a major update for actions/checkout from v5 to v6, introducing important internal improvements for credential management and Node.js 24 support.

🔒 Security

No known vulnerabilities addressed. This update does not fix any CVEs. The compatibility score from Dependabot is 0, which is expected for a major version update with breaking infrastructure requirements.

⚠️ Breaking Changes

1. Minimum Actions Runner Version Requirement

  • Breaking Change: Requires Actions Runner v2.329.0 or higher
  • Impact: The new credential storage mechanism stores credentials under $RUNNER_TEMP instead of directly in the local git config
  • Affected Scenarios: Primarily impacts Docker container actions that need to access persisted credentials
  • Note: GitHub-hosted runners are automatically updated and already meet this requirement. Self-hosted runners may need updating.

2. Credential Storage Location Change

  • Breaking Change: The persist-credentials feature now stores credentials in $RUNNER_TEMP instead of the local git config
  • Why This Matters: This is a security improvement that isolates credentials per workflow run
  • Impact: If you have custom scripts that directly read credentials from git config, they may need adjustment

🚀 New Features & Improvements

  1. Improved Credential Isolation: Credentials are now stored in $RUNNER_TEMP, providing better isolation and security between workflow runs
  2. Node.js 24 Support: The action now runs on Node.js 24, ensuring compatibility with the latest runtime (inherited from v5.0.0)
  3. Enhanced Security Posture: By storing credentials in a temporary location, the action reduces the risk of credential leakage between jobs

📝 Migration & Impact Analysis

✅ Our Codebase Analysis

I've analyzed our repository and found that:

Current Usage:

  • Most workflows are already using v6: copilot-ci-fix.yml, copilot-dependabot-update.yml, copilot-pr-review.yml, copilot-security-triage.yml
  • This PR updates: .github/workflows/test-copilot.yml from v5 to v6

Compatibility Assessment:

  • GitHub-hosted runners: All our workflows use ubuntu-latest which already includes Actions Runner v2.329.0+
  • No custom git config readers: Our workflows don't directly access git config for credentials
  • Standard usage: We only use basic checkout functionality without custom credential handling
  • No Docker container actions: None of our workflows use Docker container actions that would be affected by the credential storage change

Migration Assessment

No code changes required. This update appears to be fully compatible with our current implementation. The change in credential storage location is transparent to standard GitHub Actions workflows.

The only change in this PR is:

# In file: .github/workflows/test-copilot.yml
- uses: actions/checkout@v5
+ uses: actions/checkout@v6

This is a straightforward version bump with no functional changes needed to our workflow logic.

✅ Recommendation

👀 Needs Review with Confidence to Merge

This is a major version update with infrastructure requirements, but it appears fully compatible with our setup:

Why it's safe to merge:

  1. ✅ We use GitHub-hosted runners that already meet the minimum runner version requirement
  2. ✅ No custom credential handling in our workflows that would be affected
  3. ✅ Most of our workflows already successfully use v6
  4. ✅ The breaking changes are primarily for advanced scenarios (Docker container actions) that we don't use
  5. ✅ This is a security-focused update that improves credential isolation

Recommended action:

  • Review the PR to ensure CI passes
  • Merge with confidence once checks are green

Notes:

  • If you have self-hosted runners, verify they are running Actions Runner v2.329.0 or higher before merging
  • The credential storage improvement is a positive security enhancement with no downside for standard workflows

🤖 Analysis performed by GitHub Copilot CLI | Learn more about this update

@dependabot dependabot bot force-pushed the dependabot/github_actions/actions/checkout-6 branch 2 times, most recently from fbd9c09 to 18c2e8b Compare November 28, 2025 16:27
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Nov 29, 2025

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@austenstone austenstone reopened this Nov 29, 2025
@github-actions
Copy link

github-actions bot commented Nov 29, 2025

📋 Summary

This is a major update for actions/checkout from v5 to v6, primarily focused on improving credential security by changing how Git credentials are persisted in GitHub Actions workflows.

🔒 Security

No known vulnerabilities addressed. This update is focused on security improvements to the credential handling mechanism rather than fixing specific CVEs. The new credential storage method under $RUNNER_TEMP provides better isolation and security compared to storing credentials directly in the local git config.

⚠️ Breaking Changes

1. Minimum Runner Version Requirement

  • Breaking Change: actions/checkout v6 requires a minimum Actions Runner version of v2.329.0
  • Impact: This primarily affects Docker container action scenarios where persisted credentials need to be accessed
  • Reason: The new credential storage mechanism under $RUNNER_TEMP requires runner support introduced in v2.329.0

2. Credential Storage Location Change

  • Breaking Change: The persist-credentials option now stores credentials under $RUNNER_TEMP instead of directly in the local git config (.git/config)
  • Impact: Workflows that directly access git credentials from .git/config will need to be updated
  • Reason: Improved security and isolation of credentials

3. Node.js 24 Runtime

  • Breaking Change: v6 (like v5 before it) uses Node.js 24 runtime
  • Impact: Minimal - GitHub-hosted runners are automatically updated; self-hosted runners must have Node.js 24 available

🚀 New Features & Improvements

  1. Enhanced Credential Security - Credentials are now stored in a temporary, isolated location ($RUNNER_TEMP) rather than in the repository's git config, providing better security boundaries
  2. Node.js 24 Support - Full support for the latest Node.js 24 runtime with improved performance and security
  3. Improved Container Action Support - Better isolation for Docker container actions accessing persisted credentials

📝 Migration & Impact Analysis

Analysis Results

I have analyzed the codebase and identified 5 workflow files that use actions/checkout:

  1. .github/workflows/test-copilot.yml (being updated in this PR)
  2. .github/workflows/copilot-security-triage.yml
  3. .github/workflows/copilot-dependabot-update.yml
  4. .github/workflows/copilot-pr-review.yml
  5. .github/workflows/copilot-ci-fix.yml

Good news: I found NO usage of the following in any workflow files:

  • ✅ No persist-credentials configuration
  • ✅ No container: definitions (Docker containers)
  • ✅ No direct .git/config file access in scripts

Compatibility Assessment

This update is fully compatible with your codebase. Here's why:

  1. GitHub-hosted runners (which you're using: runs-on: ubuntu-latest) are automatically updated to the latest runner version by GitHub, so the v2.329.0 requirement is already satisfied
  2. Your workflows use actions/checkout in its simplest form without any advanced credential management features
  3. No workflows depend on the old credential storage location
  4. No Docker container actions are used that would need credential access

Changes Required

None. No code changes are required. The update is backward compatible for your use case.

✅ Recommendation

👀 Needs Review & Safe to Merge

This update is a major version upgrade with important breaking changes, but none of them affect this repository. Here's why I recommend merging:

  1. No compatibility issues - Your workflows use basic checkout functionality that is fully backward compatible
  2. No security vulnerabilities - While this doesn't fix specific CVEs, it improves overall credential security
  3. Runner compatibility - GitHub-hosted runners (ubuntu-latest) already meet the minimum version requirement
  4. No Docker containers - The main breaking change (credential access in containers) doesn't apply to your workflows
  5. Best practice - Staying current with official GitHub Actions is recommended for security and feature updates

Suggested Actions:

  1. Review this analysis to confirm understanding of the changes
  2. Merge when ready - no additional code changes needed
  3. Consider updating the other 4 workflow files to v6 in a follow-up PR to maintain consistency

Analysis performed by: GitHub Copilot CLI Dependabot Analysis Agent
Analysis date: 2025-11-29

@austenstone
Copy link
Owner

austenstone commented Nov 29, 2025

@dependabot recreate

@dependabot dependabot bot force-pushed the dependabot/github_actions/actions/checkout-6 branch from 18c2e8b to 6f9ba48 Compare November 29, 2025 12:47
@austenstone austenstone mentioned this pull request Nov 29, 2025
Closed
@dependabot dependabot bot force-pushed the dependabot/github_actions/actions/checkout-6 branch from 6f9ba48 to f181346 Compare November 29, 2025 13:42
@dependabot
Bump actions/checkout from 5 to 6
984677b 
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/github_actions/actions/checkout-6 branch from f181346 to 984677b Compare November 29, 2025 13:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@austenstone