Skip to content

build(deps): bump actions/checkout from 4 to 6 #67

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

build(deps): bump actions/checkout from 4 to 6 #67

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/codex.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ jobs:

steps:
- name: Checkout repo
uses: actions/checkout@v4
uses: actions/checkout@v6
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 actions/checkout pinned to mutable tag instead of commit SHA, inconsistent with all other workflows

Every other workflow in the repository (ci.yml, pr-check.yml, deploy.yml) pins actions/checkout to the exact commit SHA @de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2. This PR changes codex.yml to use the mutable tag @v6 without a SHA pin, which is both a security risk (a compromised tag could inject malicious code into the workflow) and inconsistent with the repository's established pattern.

Suggested change
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Pin actions/checkout to the full commit SHA (de0fac2...) to match the rest of the repo's workflows and prevent supply-chain attacks via mutable tags.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/codex.yml, line 12:

<comment>Pin `actions/checkout` to the full commit SHA (`de0fac2...`) to match the rest of the repo's workflows and prevent supply-chain attacks via mutable tags.</comment>

<file context>
@@ -9,7 +9,7 @@ jobs:
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Run Codex
</file context>
Suggested change
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6


- name: Run Codex
uses: openai/codex-action@c25d10f3f498316d4b2496cc4c6dd58057a7b031 # v1
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/deploy-frontend.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 actions/checkout pinned to floating tag v6 instead of commit SHA, inconsistent with rest of repo

Same issue as in codex.yml: all other workflows pin actions/checkout to SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd (see .github/workflows/ci.yml, .github/workflows/deploy.yml, .github/workflows/pr-check.yml), but deploy-frontend.yml uses the mutable @v6 tag. This is both a convention violation and a supply-chain security risk for the production deployment workflow.

Suggested change
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.


- name: Setup Node.js
uses: actions/setup-node@v4
Expand Down
Loading