Fix checkout

[koppor]

Closes #15525

Using a composite action without checkout is not possible. Fixed by this PR.

Steps to test

See two removal workflows working again.

Checklist

• I own the copyright of the code submitted and I license it under the MIT license
• [/] I manually tested my changes in running JabRef (always required)
• [/] I added JUnit tests for changes (if applicable)
• [/] I added screenshots in the PR description (if change is visible to the user)
• [/] I added a screenshot in the PR description showing a library with a single entry with me as author and as title the issue number
• [/] I described the change in CHANGELOG.md in a way that can be understood by the average user (if change is visible to the user)
• [/] I checked the user documentation for up to dateness and submitted a pull request to our user documentation repository

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Fix checkout in composite action and workflows

🐞 Bug fix

Walkthroughs

Description

• Removed checkout from composite action pr-gate
• Added explicit checkout to dependent workflows
• Fixes composite action usage without checkout

Diagram

flowchart LR
  A["pr-gate composite action"] -->|removed checkout| B["action.yml"]
  C["remove-ready-for-review workflow"] -->|added checkout| D["uses pr-gate"]
  E["remove-reviewers workflow"] -->|added checkout| F["uses pr-gate"]

Loading

File Changes

1. .github/actions/pr-gate/action.yml 🐞 Bug fix +0/-2

Remove checkout from composite action

• Removed actions/checkout@v6 step from composite action
• Simplified action by delegating checkout responsibility to caller workflows

.github/actions/pr-gate/action.yml

---

2. .github/workflows/remove-ready-for-review.yml 🐞 Bug fix +1/-0

Add checkout step to workflow

• Added actions/checkout@v6 step before pr-gate action
• Ensures repository is checked out before composite action execution

.github/workflows/remove-ready-for-review.yml

---

3. .github/workflows/remove-reviewers.yml 🐞 Bug fix +1/-0

Add checkout step to workflow

• Added actions/checkout@v6 step before pr-gate action
• Ensures repository is checked out before composite action execution

.github/workflows/remove-reviewers.yml

---

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (1)   📘 Rule violations (0)   📎 Requirement gaps (0)   🖥 UI issues (0)   🎨 UX Issues (0)

🐞\ ⛨ Security (1)

1. Checkout token persisted 🐞 ⛨

Description

In the pull_request_target jobs, the newly added actions/checkout step will (by default) persist the
job’s GITHUB_TOKEN into the repo’s git config for subsequent steps, unnecessarily increasing
exposure of a token that has pull-requests:write in this workflow. Disabling credential persistence
reduces blast radius without affecting the local-action usage.

Code

.github/workflows/remove-ready-for-review.yml[R17-18]

+      - uses: actions/checkout@v6
      - uses: ./.github/actions/pr-gate

Evidence

The workflow is triggered by pull_request_target and grants the job token pull-requests: write; the
PR adds a checkout step before running other steps. actions/checkout persists credentials by default
unless persist-credentials is disabled, which leaves that write-capable token in git config for the
remainder of the job.

.github/workflows/remove-ready-for-review.yml[4-21]
.github/workflows/remove-reviewers.yml[4-21]
Best Practice: actions/checkout documentation

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`actions/checkout` persists `GITHUB_TOKEN` credentials into the workspace git config by default. In these `pull_request_target` workflows the token also has `pull-requests: write`, so persisting it unnecessarily increases exposure for subsequent steps.

### Issue Context
The checkout is needed only to load the local composite action `./.github/actions/pr-gate`; it does not require persisted git credentials.

### Fix Focus Areas
- .github/workflows/remove-ready-for-review.yml[16-20]
- .github/workflows/remove-reviewers.yml[16-20]

### Suggested change
Update the checkout steps to:
```yaml
- uses: actions/checkout@v6
 with:
   persist-credentials: false
```
(Optionally also consider sparse-checkout of `.github/actions/pr-gate` if you want to minimize the checkout payload.)

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more