build(deps): bump actions/checkout from 4 to 6#67
build(deps): bump actions/checkout from 4 to 6#67dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
dependabot
Bot
added
the
dependencies
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| steps: | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
🔴 actions/checkout pinned to mutable tag instead of commit SHA, inconsistent with all other workflows
Every other workflow in the repository (ci.yml, pr-check.yml, deploy.yml) pins actions/checkout to the exact commit SHA @de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2. This PR changes codex.yml to use the mutable tag @v6 without a SHA pin, which is both a security risk (a compromised tag could inject malicious code into the workflow) and inconsistent with the repository's established pattern.
| uses: actions/checkout@v6 | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
Was this helpful? React with 👍 or 👎 to provide feedback.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/codex.yml">
<violation number="1" location=".github/workflows/codex.yml:12">
P2: Pin `actions/checkout` to the full commit SHA (`de0fac2...`) to match the rest of the repo's workflows and prevent supply-chain attacks via mutable tags.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| steps: | ||
| - name: Checkout repo | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
P2: Pin actions/checkout to the full commit SHA (de0fac2...) to match the rest of the repo's workflows and prevent supply-chain attacks via mutable tags.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/codex.yml, line 12:
<comment>Pin `actions/checkout` to the full commit SHA (`de0fac2...`) to match the rest of the repo's workflows and prevent supply-chain attacks via mutable tags.</comment>
<file context>
@@ -9,7 +9,7 @@ jobs:
steps:
- name: Checkout repo
- uses: actions/checkout@v4
+ uses: actions/checkout@v6
- name: Run Codex
</file context>
| uses: actions/checkout@v6 | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 |
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6
branch
from
ad0456f to
ccc1ca2
Compare
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6
branch
5 times, most recently
from
548cef5 to
b8697ce
Compare
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6
branch
4 times, most recently
from
4bfd072 to
8e15d07
Compare
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
🟡 actions/checkout pinned to floating tag v6 instead of commit SHA, inconsistent with rest of repo
Same issue as in codex.yml: all other workflows pin actions/checkout to SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd (see .github/workflows/ci.yml, .github/workflows/deploy.yml, .github/workflows/pr-check.yml), but deploy-frontend.yml uses the mutable @v6 tag. This is both a convention violation and a supply-chain security risk for the production deployment workflow.
| uses: actions/checkout@v6 | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
Was this helpful? React with 👍 or 👎 to provide feedback.
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6
branch
3 times, most recently
from
10c45a2 to
1a7b5eb
Compare
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6
branch
from
1a7b5eb to
71008fd
Compare
![propel-code-bot[bot]](https://avatars.githubusercontent.com/in/1179004?s=60&v=4){kind=small}
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6
branch
3 times, most recently
from
fcb135e to
fd622c1
Compare
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6
branch
from
fd622c1 to
727a9cf
Compare
Bumps actions/checkout from 4 to 6.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)