[action] bump actions/checkout from 5 to 6 in /.github/workflows

[dependabot]

Bumps actions/checkout from 5 to 6.

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
❌ ACTION	actionlint	7		2	0	0.62s
⚠️ COPYPASTE	jscpd	yes		2	no	2.82s
✅ EDITORCONFIG	editorconfig-checker	7		0	0	0.04s
✅ REPOSITORY	checkov	yes		no	no	27.15s
⚠️ REPOSITORY	devskim	yes		118	68	14.46s
✅ REPOSITORY	dustilock	yes		no	no	0.95s
✅ REPOSITORY	gitleaks	yes		no	no	2.5s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	51.76s
⚠️ REPOSITORY	kics	yes		20	no	33.29s
✅ REPOSITORY	kingfisher	yes		no	no	4.49s
✅ REPOSITORY	secretlint	yes		no	no	1.93s
✅ REPOSITORY	syft	yes		no	no	3.19s
✅ REPOSITORY	trivy	yes		no	no	17.24s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.27s
✅ REPOSITORY	trufflehog	yes		no	no	6.45s
❌ SPELL	cspell	8		1	0	6.61s
⚠️ SPELL	lychee	7		3	0	3.31s
✅ YAML	prettier	7	5	0	0	0.99s
✅ YAML	v8r	7		0	0	10.03s
✅ YAML	yamllint	7		0	0	0.78s

Detailed Issues

❌ ACTION / actionlint - 2 errors

.github/workflows/black.yml:30:14: workflow command "set-output" was deprecated. use `echo "{name}={value}" >> $GITHUB_OUTPUT` instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions [deprecated-commands]
   |
30 |         run: |
   |              ^
.github/workflows/debug-matrix.yml:606:13: constant expression "false" in condition. remove the if: section [if-cond]
    |
606 |         if: false # runner.os == 'Windows'
    |             ^~~~~

❌ SPELL / cspell - 1 error

.github/workflows/codeql.yml:42:9      - Unknown word (Autobuild)  -- # Autobuild attempts to build any
	 Suggestions: [Autobus, Autofill, Autobuses, Autofield, Autopsied]
.github/workflows/codeql.yml:44:36     - Unknown word (autobuild)  -- github/codeql-action/autobuild@v4
	 Suggestions: [autobus, autofill, autobuses, autofield, autopsied]
.github/workflows/codeql.yml:49:19     - Unknown word (Autobuild)  -- # ✏️ If the Autobuild fails above, remove
	 Suggestions: [Autobus, Autofill, Autobuses, Autofield, Autopsied]
.github/workflows/debug-matrix.yml:87:22     - Unknown word (showmanual) -- # apt-mark showmanual
	 Suggestions: [showman, showman's, showmanyc]
.github/workflows/debug-matrix.yml:97:21     - Unknown word (pkgs)       -- pkgutil --pkgs | sort
	 Suggestions: [pegs, pigs, pkcs, pkts, pngs]
.github/workflows/debug-matrix.yml:108:42    - Unknown word (winget)     -- installed choco/scoop/winget packages (Windows)
	 Suggestions: [widget, winged, winger, winglet, binget]
.github/workflows/debug-matrix.yml:113:48    - Unknown word (winget)     -- installed choco/scoop/winget packages (Windows)
	 Suggestions: [widget, winged, winger, winglet, binget]
.github/workflows/debug-matrix.yml:121:16    - Unknown word (winget)     -- echo winget --version (if installed
	 Suggestions: [widget, winged, winger, winglet, binget]
.github/workflows/debug-matrix.yml:122:20    - Unknown word (winget)     -- where /q winget && winget --version
	 Suggestions: [widget, winged, winger, winglet, binget]
.github/workflows/debug-matrix.yml:122:30    - Unknown word (winget)     -- where /q winget && winget --version
	 Suggestions: [widget, winged, winger, winglet, binget]
.github/workflows/debug-matrix.yml:304:53    - Unknown word (regextype)  -- maxdepth 1 -type f,l -regextype posix-extended -iregex
	 Suggestions: [regtype, REGTYPE, regexp, retype, rectype]
.github/workflows/debug-matrix.yml:304:79    - Unknown word (iregex)     -- regextype posix-extended -iregex '.*\.(bat|cmd|com|exe
	 Suggestions: [regex, irele, irene, Irene, relex]
.github/workflows/debug-matrix.yml:340:11    - Unknown word (pyversion)  -- pyversion=$("${PYTHON}" -c 'import
	 Suggestions: [phpversion, version, goversion, apiversion, goVersion]
.github/workflows/debug-matrix.yml:345:18    - Unknown word (pyversion)  -- if ((pyversion>2)); then
	 Suggestions: [phpversion, version, goversion, apiversion, goVersion]
.github/workflows/debug-matrix.yml:567:40    - Unknown word (PFAT)       -- /Q /Y /FS:FAT32 /V:PFAT322GB
	 Suggestions: [PDAT, PEAT, PHAT, PLAT, PRAT]
.github/workflows/debug-matrix.yml:574:14    - Unknown word (mountvol)   -- - run: mountvol.exe
	 Suggestions: [mount, mongol, mountd, mountp, mounts]
.github/workflows/debug-matrix.yml:579:14    - Unknown word (fsutil)     -- - run: fsutil.exe fsinfo drives
	 Suggestions: [gsutil, psutil, fusil, fustic, fustily]
.github/workflows/debug-matrix.yml:612:20    - Unknown word (logicaldisk) -- wmic.exe logicaldisk get DeviceID, VolumeName
	 Suggestions: [logicality, logicalness]


You can skip this misspellings by defining the following .cspell.json file at the root of your repository
Of course, please correct real typos before :)

{
    "version": "0.2",
    "language": "en",
    "ignorePaths": [
        "**/node_modules/**",
        "**/vscode-extension/**",
        "**/.git/**",
        "**/.pnpm-lock.json",
        ".vscode",
        "package-lock.json",
        "megalinter-reports"
    ],
    "words": [
        "Autobuild",
        "PFAT",
        "autobuild",
        "fsutil",
        "iregex",
        "logicaldisk",
        "mountvol",
        "pkgs",
        "pyversion",
        "regextype",
        "showmanual",
        "winget"
    ]
}


You can also copy-paste megalinter-reports/.cspell.json at the root of your repository

⚠️ REPOSITORY / devskim - 118 errors

{"text":"http://www.helpandmanual.com","markdown":"`http://www.helpandmanual.com`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/hhreg.json"},"replacements":[{"deletedRegion":{"charOffset":179,"charLength":28},"insertedContent":{"text":"https://www.helpandmanual.com"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/dependabot.yml"},"region":{"startLine":17,"startColumn":19,"endLine":17,"endColumn":23,"charOffset":463,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/dependabot.yml"},"region":{"startLine":13,"startColumn":19,"endLine":13,"endColumn":23,"charOffset":393,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/mtee.json"},"region":{"startLine":7,"startColumn":12,"endLine":7,"endColumn":78,"charOffset":264,"charLength":66,"snippet":{"text":"\"221748edd4763571e395189772f166625f8e2b9429d1ee334228ef92f3f0c326\"","rendered":{"text":"\"221748edd4763571e395189772f166625f8e2b9429d1ee334228ef92f3f0c326\"","markdown":"`\"221748edd4763571e395189772f166625f8e2b9429d1ee334228ef92f3f0c326\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/wfc.json"},"region":{"startLine":9,"startColumn":12,"endLine":9,"endColumn":78,"charOffset":450,"charLength":66,"snippet":{"text":"\"16442002148e25cc009ad69e6292ce763eeb93108a9008c35019ec2ca7252f32\"","rendered":{"text":"\"16442002148e25cc009ad69e6292ce763eeb93108a9008c35019ec2ca7252f32\"","markdown":"`\"16442002148e25cc009ad69e6292ce763eeb93108a9008c35019ec2ca7252f32\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/ztree.json"},"region":{"startLine":42,"startColumn":20,"endLine":42,"endColumn":86,"charOffset":1195,"charLength":66,"snippet":{"text":"\"e7c7977abf151223725b295fc506913d0ebe290b5ee9d45dcb2dede750344056\"","rendered":{"text":"\"e7c7977abf151223725b295fc506913d0ebe290b5ee9d45dcb2dede750344056\"","markdown":"`\"e7c7977abf151223725b295fc506913d0ebe290b5ee9d45dcb2dede750344056\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/ztree.json"},"region":{"startLine":22,"startColumn":20,"endLine":22,"endColumn":86,"charOffset":617,"charLength":66,"snippet":{"text":"\"7bf68e67c877c70bd563e19c57e08d4e3b8a8262a57f8f7a32174f6dd1a45f5f\"","rendered":{"text":"\"7bf68e67c877c70bd563e19c57e08d4e3b8a8262a57f8f7a32174f6dd1a45f5f\"","markdown":"`\"7bf68e67c877c70bd563e19c57e08d4e3b8a8262a57f8f7a32174f6dd1a45f5f\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/pydeps.yml"},"region":{"startLine":27,"startColumn":18,"endLine":27,"endColumn":22,"charOffset":1325,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/outwit.json"},"region":{"startLine":10,"startColumn":12,"endLine":10,"endColumn":78,"charOffset":368,"charLength":66,"snippet":{"text":"\"677b142ee01d69d43b31a4dfff9e06465fd4d4545fb1441cf703171cb598dba7\"","rendered":{"text":"\"677b142ee01d69d43b31a4dfff9e06465fd4d4545fb1441cf703171cb598dba7\"","markdown":"`\"677b142ee01d69d43b31a4dfff9e06465fd4d4545fb1441cf703171cb598dba7\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/emet.json"},"region":{"startLine":7,"startColumn":12,"endLine":7,"endColumn":78,"charOffset":316,"charLength":66,"snippet":{"text":"\"419740d3f8557a0c93b9181a5eaabb12a2b4a7a6843e83b02dfb4b080fbc31de\"","rendered":{"text":"\"419740d3f8557a0c93b9181a5eaabb12a2b4a7a6843e83b02dfb4b080fbc31de\"","markdown":"`\"419740d3f8557a0c93b9181a5eaabb12a2b4a7a6843e83b02dfb4b080fbc31de\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/debug-matrix.yml"},"region":{"startLine":18,"startColumn":18,"endLine":18,"endColumn":22,"charOffset":563,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"High"}}],"columnKind":"utf16CodeUnits"}]}

(Truncated to last 6666 characters out of 155175)

⚠️ COPYPASTE / jscpd - 2 errors

Clone found (powershell):
 - bin/describe.ps1 [11:1 - 24:36] (13 lines, 122 tokens)
   bin/formatjson.ps1 [10:1 - 23:38]

Clone found (powershell):
 - bin/checkhashes.ps1 [58:1 - 68:2] (10 lines, 114 tokens)
   bin/checkver.ps1 [72:1 - 82:2]

┌────────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format     │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ powershell │ 12             │ 467         │ 2681         │ 2            │ 23 (4.93%)       │ 236 (8.8%)        │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ bash       │ 2              │ 9           │ 25           │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ python     │ 9              │ 1918        │ 15335        │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ ini        │ 2              │ 58          │ 220          │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ markdown   │ 5              │ 63          │ 895          │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total:     │ 30             │ 2515        │ 19156        │ 2            │ 23 (0.91%)       │ 236 (1.23%)       │
└────────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 2 clones.
HTML report saved to megalinter-reports/copy-paste/html/
ERROR: jscpd found too many duplicates (0.91%) over threshold (0.5%)
Error: ERROR: jscpd found too many duplicates (0.91%) over threshold (0.5%)
    at ThresholdReporter.report (/node-deps/node_modules/@jscpd/finder/dist/index.js:615:13)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:109:18
    at Array.forEach (<anonymous>)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:108:22
    at async /node-deps/node_modules/jscpd/dist/bin/jscpd.js:9:5

⚠️ REPOSITORY / kics - 20 errors

MLLLLLM             MLLLLLLLLL   LLLLLLL             KLLLLLLLLLLLLLLLL       LLLLLLLLLLLLLLLLLLLLLLL 
   MMMMMMM           MMMMMMMMMML    MMMMMMMK       LMMMMMMMMMMMMMMMMMMMML   KLMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM         MMMMMMMMML       MMMMMMMK     LMMMMMMMMMMMMMMMMMMMMMML  LMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM      MMMMMMMMMML         MMMMMMMK   LMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM    LMMMMMMMMML           MMMMMMMK  LMMMMMMMMMLLMLLLLLLLLLLLLLL LMMMMMMMLLLLLLLLLLLLLLLLLLLLM 
   MMMMMMM  MMMMMMMMMLM             MMMMMMMK LMMMMMMMM                    LMMMMMML                      
   MMMMMMMLMMMMMMMML                MMMMMMMK MMMMMMML                     LMMMMMMMMLLLLLLLLLLLLLMLL     
   MMMMMMMMMMMMMMMM                 MMMMMMMK MMMMMML                       LMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMMMMMMMMMMMMM               MMMMMMMK MMMMMMM                         LMMMMMMMMMMMMMMMMMMMMMMMML 
   MMMMMMM KLMMMMMMMMML             MMMMMMMK LMMMMMMM                                          MMMMMMMML
   MMMMMMM    LMMMMMMMMMM           MMMMMMMK LMMMMMMMMLL                                        MMMMMMML
   MMMMMMM      LMMMMMMMMMLL        MMMMMMMK  LMMMMMMMMMMMMMMMMMMMMMMMMML LLLLLLLLLLLLLLLLLLLLMMMMMMMMMM
   MMMMMMM        MMMMMMMMMMML      MMMMMMMK   MMMMMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMMMM 
   MMMMMMM          LLMMMMMMMMML    MMMMMMMK     LLMMMMMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMMMML  
   MMMMMMM             MMMMMMMMMML  MMMMMMMK         KLMMMMMMMMMMMMMMMMML LMMMMMMMMMMMMMMMMMMMMMMMLK    
                                                                                                            
                                                                                                                                                                                                                                                                                                                        


Scanning with Keeping Infrastructure as Code Secure v2.1.19





Unpinned Actions Full Length Commit SHA, Severity: LOW, Results: 20
Description: Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Platform: CICD
CWE: 829
Risk Score: 4.1
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cicd-queries/555ab8f9-2001-455e-a077-f2d0f41e2fb9

	[1]: .github/workflows/issue.yml:12

		011:       - name: Verify Issue
		012:         uses: Ash258/Scoop-GithubActions@stable
		013:         if: github.event.action == 'opened' || (github.event.action == 'labeled' && contains(github.event.issue.labels.*.name, 'verify'))


	[2]: .github/workflows/dependabot.yml:36

		035:     steps:
		036:       - uses: dependabot/fetch-metadata@v2.4.0
		037:         id: dependabot-metadata


	[3]: .github/workflows/debug-rasa.yml:61

		060: 
		061:       - uses: crazy-max/ghaction-dump-context@v2.3.0
		062: 


	[4]: .github/workflows/mega-linter.yml:209

		208:       - name: Create Pull Request with applied fixes
		209:         uses: peter-evans/create-pull-request@v7.0.8 # changed from v5 by @rasa
		210:         id: cpr


	[5]: .github/workflows/clean-logs.yml:141

		140:       #   uses: rasa/ghaction-dump-context@master
		141:       - uses: crazy-max/ghaction-dump-context@v2.3.0
		142: 


	[6]: .github/workflows/clean-logs.yml:145

		144:         if: github.event_name == 'schedule'
		145:         uses: rasa/delete-workflow-runs@main
		146:         # was Mattraks/delete-workflow-runs@main


	[7]: .github/workflows/update-readme.yml:27

		026: 
		027:       - uses: EndBug/add-and-commit@v9
		028:         with:


	[8]: .github/workflows/black.yml:51

		050:         if: steps.black.outputs.changes == 'true'
		051:         uses: ad-m/github-push-action@master
		052:         with:


	[9]: .github/workflows/codeql.yml:58

		057:       # Perform CodeQL Analysis
		058:       - uses: github/codeql-action/analyze@v4
		059: 


	[10]: .github/workflows/codeql.yml:44

		043:       # If this step fails, then you should remove it and run the build manually (see below).
		044:       - uses: github/codeql-action/autobuild@v4
		045: 


	[11]: .github/workflows/codeql.yml:37

		036:       # Initializes the CodeQL tools for scanning.
		037:       - uses: github/codeql-action/init@v4
		038:         # Override language selection by uncommenting this and choosing your languages


	[12]: .github/workflows/toc.yml:57

		056: 
		057:       - uses: stefanzweifel/git-auto-commit-action@v6.0.1
		058:         with:


	[13]: .github/workflows/clean-logs.yml:157

		156:         if: github.event_name != 'schedule'
		157:         uses: rasa/delete-workflow-runs@main
		158:         # was Mattraks/delete-workflow-runs@main


	[14]: .github/workflows/excavator.yml:14

		013:     - name: Excavate
		014:       uses: ScoopInstaller/GithubActions@main
		015:       env:


	[15]: .github/workflows/pull_request.yml:12

		011:     - name: Pull Request Validation
		012:       uses: Ash258/Scoop-GithubActions@stable
		013:       env:


	[16]: .github/workflows/mega-linter.yml:118

		117:         # More info at https://megalinter.io/flavors/
		118:         uses: oxsecurity/megalinter@v9 # changed from v7 by @rasa
		119: 


	[17]: .github/workflows/mega-linter.yml:231

		230:       - name: Commit and push applied linter fixes
		231:         uses: stefanzweifel/git-auto-commit-action@v6.0.1 # changed from v4 by @rasa
		232:         if: env.APPLY_FIXES_IF_COMMIT == 'true'


	[18]: .github/workflows/debug-matrix.yml:104

		103:         continue-on-error: true
		104:         uses: MinoruSekine/setup-scoop@main
		105:         with:


	[19]: .github/workflows/debug-matrix.yml:75

		074:     steps:
		075:       - uses: crazy-max/ghaction-dump-context@v2.3.0
		076: 


	[20]: .github/workflows/issue_comment.yml:12

		011:     - name: Pull Request Validation
		012:       uses: Ash258/Scoop-GithubActions@stable
		013:       if: startsWith(github.event.comment.body, '/verify')



Results Summary:
CRITICAL: 0
HIGH: 0
MEDIUM: 0
LOW: 20
INFO: 0
TOTAL: 20

⚠️ SPELL / lychee - 3 errors

[404] https://megalinter.io/flavors/ | Network error: Not Found
[404] https://megalinter.io/configuration/ | Network error: Not Found
[404] https://github.com/microsoft/winget-cli/releases/download/latest/Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle | Network error: Not Found
📝 Summary
---------------------
🔍 Total...........31
✅ Successful......25
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........3
❓ Unknown..........0
🚫 Errors...........3

Errors in .github/workflows/debug-matrix.yml
[404] https://github.com/microsoft/winget-cli/releases/download/latest/Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle | Network error: Not Found

Errors in .github/workflows/mega-linter.yml
[404] https://megalinter.io/flavors/ | Network error: Not Found
[404] https://megalinter.io/configuration/ | Network error: Not Found

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

Show us your support by starring ⭐ the repository