deps(actions): bump actions/checkout from 4 to 6#354

Closed

dependabot[bot] wants to merge 1 commit intomainfrom

dependabot/github_actions/actions/checkout-6

Contributor

dependabot Bot commented on behalf of github Apr 8, 2026 •

edited

Loading

Bumps actions/checkout from 4 to 6.

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

Update README to include Node.js 24 support details and requirements by @salmanmkc in actions/checkout#2248

Persist creds to a separate file by @ericsciple in actions/checkout#2286

v6-beta by @ericsciple in actions/checkout#2298

update readme/changelog for v6 by @ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Port v6 cleanup to v5 by @ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

Update actions checkout to use node 24 by @salmanmkc in actions/checkout#2226

Prepare v5.0.0 release by @salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

Port v6 cleanup to v4 by @ericsciple in actions/checkout#2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

docs: update README.md by @motss in actions/checkout#1971

Add internal repos for checking out multiple repositories by @mouismail in actions/checkout#1977

Documentation update - add recommended permissions to Readme by @benwells in actions/checkout#2043

... (truncated)

Commits

de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
8e8c483 Clarify v6 README (#2328)
033fa0d Add worktree support for persist-credentials includeIf (#2327)
c2d88d3 Update all references from v5 and v4 to v6 (#2314)
1af3b93 update readme/changelog for v6 (#2311)
71cf226 v6-beta (#2298)
069c695 Persist creds to a separate file (#2286)
ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
08c6903 Prepare v5.0.0 release (#2238)
Additional commits viewable in compare view

Contributor Author

dependabot Bot commented on behalf of github Apr 8, 2026

Labels

The following labels could not be found: dependencies, github-actions, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

dependabot Bot requested a review from itcmsgr as a code owner

April 8, 2026 20:59

Contributor

github-actions Bot commented Apr 8, 2026 •

edited

Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package

Version

Score

Details

actions/actions/checkout

de0fac2e4500dabe0009e67214ff5f5447ce83dd

🟢 5.7

Details

Check	Score	Reason
Maintained	⚠️ 0	0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
Packaging	⚠️ -1	packaging workflow not detected
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
Security-Policy	🟢 9	security policy file detected
Branch-Protection	🟢 5	branch protection is not maximal on development and all release branches
SAST	🟢 8	SAST tool detected but not run on all commits

actions/actions/checkout

de0fac2e4500dabe0009e67214ff5f5447ce83dd

🟢 5.7

Details

Check	Score	Reason
Maintained	⚠️ 0	0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
Packaging	⚠️ -1	packaging workflow not detected
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
Security-Policy	🟢 9	security policy file detected
Branch-Protection	🟢 5	branch protection is not maximal on development and all release branches
SAST	🟢 8	SAST tool detected but not run on all commits

actions/actions/checkout

de0fac2e4500dabe0009e67214ff5f5447ce83dd

🟢 5.7

Details

Check	Score	Reason
Maintained	⚠️ 0	0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
Packaging	⚠️ -1	packaging workflow not detected
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
Security-Policy	🟢 9	security policy file detected
Branch-Protection	🟢 5	branch protection is not maximal on development and all release branches
SAST	🟢 8	SAST tool detected but not run on all commits

actions/actions/checkout

de0fac2e4500dabe0009e67214ff5f5447ce83dd

🟢 5.7

Details

Check	Score	Reason
Maintained	⚠️ 0	0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
Packaging	⚠️ -1	packaging workflow not detected
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
Security-Policy	🟢 9	security policy file detected
Branch-Protection	🟢 5	branch protection is not maximal on development and all release branches
SAST	🟢 8	SAST tool detected but not run on all commits

actions/actions/checkout

de0fac2e4500dabe0009e67214ff5f5447ce83dd

🟢 5.7

Details

Check	Score	Reason
Maintained	⚠️ 0	0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 10	all changesets reviewed
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
Packaging	⚠️ -1	packaging workflow not detected
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
Security-Policy	🟢 9	security policy file detected
Branch-Protection	🟢 5	branch protection is not maximal on development and all release branches
SAST	🟢 8	SAST tool detected but not run on all commits

Scanned Files

.github/workflows/ci-go.yml
.github/workflows/fuzz.yml
.github/workflows/project-health.yml
.github/workflows/semgrep.yml
.github/workflows/socket-supplychain.yml

dependabot Bot force-pushed the dependabot/github_actions/actions/checkout-6 branch 4 times, most recently from 0a94468 to bf58971 Compare

April 15, 2026 16:11


          deps(actions): bump actions/checkout from 4 to 6

386b9a2

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](actions/checkout@v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot force-pushed the dependabot/github_actions/actions/checkout-6 branch from bf58971 to 386b9a2 Compare

April 16, 2026 17:00

Owner

itcmsgr commented Apr 16, 2026

Closing — will re-evaluate dependencies in v1.92

itcmsgr closed this

Contributor Author

dependabot Bot commented on behalf of github Apr 16, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

dependabot Bot deleted the dependabot/github_actions/actions/checkout-6 branch

April 16, 2026 18:55

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet