Skip to content

chore(deps): bump actions/checkout from 4 to 5 #5927

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
LesnyRumcajs merged 1 commit into from
Aug 12, 2025
Merged

chore(deps): bump actions/checkout from 4 to 5 #5927

LesnyRumcajs merged 1 commit into from
Aug 12, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Aug 12, 2025
edited by coderabbitai bot
Loading

Bumps actions/checkout from 4 to 5.

Release notes

Sourced from actions/checkout's releases.

v5.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v4...v4.3.0

v4.2.2

What's Changed

Full Changelog: actions/checkout@v4.2.1...v4.2.2

v4.2.1

What's Changed

New Contributors

Full Changelog: actions/checkout@v4.2.0...v4.2.1

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

V5.0.0

V4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Upgraded the repository checkout action across CI workflows to the latest major version for improved security and performance.
    • Standardized CI steps across build, lint, docs, release, and test pipelines for consistency.
    • Increased pipeline resilience by allowing a non-blocking failure in a build cache setup step, reducing unnecessary job failures.

@dependabot
chore(deps): bump actions/checkout from 4 to 5
abe300c 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Aug 12, 2025
@dependabot dependabot bot requested a review from a team as a code owner August 12, 2025 05:10
@dependabot dependabot bot requested review from hanabi1224 and sudo-shashank and removed request for a team August 12, 2025 05:10
@dependabot dependabot bot added github_actions Pull requests that update GitHub Actions code dependencies Pull requests that update a dependency file labels Aug 12, 2025
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Aug 12, 2025
edited
Loading

Walkthrough

Bulk update of GitHub Actions workflows to use actions/checkout@v5 instead of @v4. Additionally, the butterflynet workflow modifies the Setup sccache step to continue on error.

Changes

Cohort / File(s) Summary of changes
Checkout action bump to v5
.github/workflows/cargo-advisories.yml, .github/workflows/checkpoints.yml, .github/workflows/curio-devnet-publish.yml, .github/workflows/docker.yml, .github/workflows/dockerfile-check.yml, .github/workflows/docs-*.yml, .github/workflows/forest.yml, .github/workflows/go-lint.yml, .github/workflows/link-check.yml, .github/workflows/lotus-*.yml, .github/workflows/release*.yml, .github/workflows/rpc*.yml, .github/workflows/rust-lint.yml, .github/workflows/scripts-lint.yml, .github/workflows/snapshot-parity.yml, .github/workflows/unit-tests.yml		 Replace actions/checkout@v4 with actions/checkout@v5 (multiple occurrences where applicable). No other logic changes.
Butterflynet sccache handling
.github/workflows/butterflynet.yml		 Checkout step bumped to actions/checkout@v5 and Setup sccache step now uses continue-on-error: true.

Sequence Diagram(s)

sequenceDiagram
  actor Dev as Developer/Trigger
  participant GH as GitHub Actions
  participant Job as butterflynet Job
  Dev->>GH: Trigger butterflynet workflow
  GH->>Job: Start job
  Job->>Job: Checkout (actions/checkout@v5)
  Job->>Job: Setup sccache (continue-on-error: true)
  note right of Job: Failures here do not fail the job
  Job->>Job: Subsequent build/test steps
  Job-->>GH: Job result
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested reviewers

  • elmattic
  • akaladarshi
  • sudo-shashank
✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch dependabot/github_actions/actions/checkout-5
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot]
coderabbitai bot reviewed Aug 12, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (7)
.github/workflows/dockerfile-check.yml (1)

14-14: Checkout upgraded to v5 — verify runner version compatibility

Looks good. Since actions/checkout@v5 requires a minimum Actions runner version v2.327.1 and uses Node 24 under the hood, please ensure the ubuntu-24.04-arm runner pool meets that minimum (especially if this is a non-GitHub-hosted/third-party image).

If this pool is third-party or self-hosted, confirm they’ve rolled out runner >= v2.327.1 to avoid runtime failures.

.github/workflows/snapshot-parity.yml (1)

12-12: Validate BuildJet runner compatibility with checkout@v5

actions/checkout@v5 requires Actions runner >= v2.327.1 and Node 24 support. Since this job runs on buildjet-4vcpu-ubuntu-2204, please confirm BuildJet’s runner images meet the minimum runner version.

You might add a short diagnostic step (temporary) to record image metadata for debugging in case of failures (e.g., print ImageOS/ImageVersion if available).

.github/workflows/docs-auto-update.yml (1)

13-13: LGTM; consider aligning Node versions used elsewhere

The checkout@v5 bump is fine. Minor: this workflow later sets up Node "18" for docs tooling. Given Node 18 is aging, consider moving to Node 20+ LTS when convenient to align with the ecosystem and reduce future maintenance.

.github/workflows/docs-deploy.yml (1)

31-31: Optional: Consider updating Node version used for docs build

Step below uses setup-node with node-version "18", which is past/near EOL in 2025. Consider moving to an active LTS (e.g., 20 or 22) when convenient to reduce future maintenance.

.github/workflows/release_dispatch.yml (1)

25-25: Optional: Pin GitHub Actions by commit SHA for supply-chain hardening

If your org’s policy allows, consider pinning actions/checkout@v5 to a specific commit SHA to prevent unexpected changes from new tags.

Also applies to: 62-62

.github/workflows/scripts-lint.yml (1)

21-21: Optional: Pin actions by SHA

For stronger supply-chain guarantees, consider pinning actions/checkout@v5 (and other third-party actions) to immutable SHAs.

Also applies to: 29-29, 42-42, 55-55, 77-77

.github/workflows/release.yml (1)

21-21: Optional: Pin actions/checkout to a commit SHA

If you want extra stability/security for release pipelines, consider pinning to a specific v5 commit SHA.

Also applies to: 59-59

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 59ca796 and abe300c.

📒 Files selected for processing (23)
  • .github/workflows/butterflynet.yml (1 hunks)
  • .github/workflows/cargo-advisories.yml (1 hunks)
  • .github/workflows/checkpoints.yml (1 hunks)
  • .github/workflows/curio-devnet-publish.yml (1 hunks)
  • .github/workflows/docker.yml (3 hunks)
  • .github/workflows/dockerfile-check.yml (1 hunks)
  • .github/workflows/docs-auto-update.yml (1 hunks)
  • .github/workflows/docs-check.yml (1 hunks)
  • .github/workflows/docs-deploy.yml (1 hunks)
  • .github/workflows/docs-required-override.yml (2 hunks)
  • .github/workflows/forest.yml (20 hunks)
  • .github/workflows/go-lint.yml (1 hunks)
  • .github/workflows/link-check.yml (1 hunks)
  • .github/workflows/lotus-api-bump.yml (1 hunks)
  • .github/workflows/lotus-devnet-publish.yml (1 hunks)
  • .github/workflows/release.yml (2 hunks)
  • .github/workflows/release_dispatch.yml (2 hunks)
  • .github/workflows/rpc-parity.yml (1 hunks)
  • .github/workflows/rpc_test_repeat.yml (1 hunks)
  • .github/workflows/rust-lint.yml (2 hunks)
  • .github/workflows/scripts-lint.yml (4 hunks)
  • .github/workflows/snapshot-parity.yml (1 hunks)
  • .github/workflows/unit-tests.yml (2 hunks)
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2025-08-07T13:12:23.359Z 
Learnt from: hanabi1224
PR: ChainSafe/forest#5886
File: Makefile:1-1
Timestamp: 2025-08-07T13:12:23.359Z
Learning: golangci-lint version v2.3.1 exists and was released on August 2, 2025. It is currently the latest stable version and can be used in Makefiles and CI configurations. The version follows the v2.x.x numbering scheme, not v1.x.x as I previously incorrectly stated.

Applied to files:

  • .github/workflows/go-lint.yml
📚 Learning: 2025-08-07T13:12:23.359Z 
Learnt from: hanabi1224
PR: ChainSafe/forest#5886
File: Makefile:1-1
Timestamp: 2025-08-07T13:12:23.359Z
Learning: golangci-lint version v2.3.1 exists and is a valid release that can be used in Makefiles and CI configurations. It was released after v2.3.0.

Applied to files:

  • .github/workflows/go-lint.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)
  • GitHub Check: Build forest binaries on Linux AMD64
  • GitHub Check: tests
  • GitHub Check: tests-release
  • GitHub Check: Check
  • GitHub Check: All lint checks
  • GitHub Check: Deploy to Cloudflare Pages
  • GitHub Check: Build MacOS
  • GitHub Check: cargo-publish-dry-run
  • GitHub Check: Build Ubuntu
🔇 Additional comments (22)
.github/workflows/cargo-advisories.yml (1)

10-10: LGTM; confirm runner meets v5 requirements

The bump to actions/checkout@v5 is appropriate. Please verify ubuntu-24.04-arm runners are on Actions runner >= v2.327.1 to satisfy the new Node 24 requirement.

.github/workflows/lotus-devnet-publish.yml (1)

19-19: LGTM: checkout@v5 on GitHub-hosted ubuntu-24.04

No issues spotted; this runner should already meet the required minimum version for checkout v5.

.github/workflows/curio-devnet-publish.yml (1)

19-19: LGTM: checkout@v5

Upgrade is straightforward and appropriate for this workflow on ubuntu-24.04.

.github/workflows/checkpoints.yml (1)

12-12: LGTM; double-check custom arm pool compatibility

Bump to checkout@v5 looks good. Please ensure ubuntu-24.04-arm runner pool satisfies minimum Actions runner v2.327.1 required by v5.

.github/workflows/rpc-parity.yml (1)

19-19: LGTM: checkout@v5 on ubuntu-24.04

Straightforward upgrade; no concerns here.

.github/workflows/go-lint.yml (2)

37-37: LGTM: checkout upgraded to v5

This aligns with the repo-wide migration and should be compatible with GitHub-hosted runners.

37-37: No self-hosted runners detected; GitHub-hosted satisfy actions/checkout@v5 requirements.

A search across all .github/workflows found no references to self-hosted, so only GitHub-hosted runners are used—and they already meet the v2.327.1+ requirement for actions/checkout@v5. No further action needed.

.github/workflows/docs-deploy.yml (1)

31-31: LGTM: checkout upgraded to v5

No behavior change expected for this job.

.github/workflows/lotus-api-bump.yml (1)

14-14: LGTM: checkout upgraded to v5

Compatible with the rest of the workflow; no additional changes required.

.github/workflows/release_dispatch.yml (1)

25-25: LGTM: checkout upgraded to v5 in Build and Publish jobs

Both steps now align with the repo-wide standard.

Also applies to: 62-62

.github/workflows/scripts-lint.yml (1)

21-21: LGTM: checkout upgraded to v5 across all jobs

Consistent upgrade in shellcheck, rubocop, python-lint, docker-lint, and yaml-lint jobs.

Also applies to: 29-29, 42-42, 55-55, 77-77

.github/workflows/link-check.yml (1)

33-33: LGTM: checkout upgraded to v5

No downstream impact expected on lychee step.

.github/workflows/rpc_test_repeat.yml (1)

32-32: LGTM: checkout upgraded to v5

Change is straightforward; rest of the job remains unaffected.

.github/workflows/release.yml (1)

21-21: LGTM: checkout upgraded to v5 in both Build and Publish jobs

Matches the migration pattern elsewhere.

Also applies to: 59-59

.github/workflows/unit-tests.yml (2)

66-66: LGTM: checkout bumped to v5.

No functional changes introduced here; aligns with the PR objective.

44-44: Verify BuildJet runner versions for actions/checkout@v5

actions/checkout@v5 upgrade is in place and no older v1–v4 references remain. However, there are non-GitHub-hosted runners that you’ll need to validate meet the minimum GitHub Actions Runner v2.327.1 requirement:

• .github/workflows/snapshot-parity.yml:9 runs-on: buildjet-4vcpu-ubuntu-2204
• .github/workflows/forest.yml:544 runs-on: buildjet-8vcpu-ubuntu-2204

Please confirm with BuildJet (or your self-hosted setup) that those images include Actions Runner v2.327.1 or later.

.github/workflows/forest.yml (1)

51-51: Bulk bump to actions/checkout@v5 is consistent and appropriate.

This aligns the entire workflow with the new major, reducing maintenance fragmentation. One operational note: the calibnet-rpc-checks job uses a BuildJet runner—ensure its Actions Runner version meets the v5 minimum (v2.327.1).

If helpful, run the verification script from my earlier comment in unit-tests.yml to reconfirm there are no leftover checkout<5 references and to list non-GitHub-hosted runner labels for runner version validation.

Also applies to: 78-78, 101-101, 124-124, 147-147, 176-176, 202-202, 227-227, 250-250, 277-277, 299-299, 321-321, 342-342, 363-363, 387-387, 420-420, 467-467, 504-504, 523-523, 549-549

.github/workflows/rust-lint.yml (1)

48-48: LGTM: checkout upgraded to v5 in both jobs.

No behavior change expected; matches the repository-wide upgrade path.

Also applies to: 74-74

.github/workflows/docker.yml (1)

57-57: LGTM: all checkout steps moved to v5.

This is a straight version bump without side effects. As a general sanity check, ensure any non-GitHub-hosted runners used by dependent jobs meet the minimum runner version requirement for checkout v5.

You can reuse the verification script provided in unit-tests.yml to confirm environment readiness.

Also applies to: 100-100, 137-137

.github/workflows/butterflynet.yml (1)

22-22: LGTM: checkout step updated to v5.

Change is in line with the rest of the repository.

.github/workflows/docs-check.yml (1)

33-33: LGTM: docs workflow now uses checkout v5.

No impact on the rest of the steps; expected to be a no-op behavior change.

.github/workflows/docs-required-override.yml (1)

35-35: LGTM: both path-filter jobs upgraded to checkout v5.

Keeps the “required checks override” workflows consistent with the global upgrade.

Also applies to: 49-49

@LesnyRumcajs LesnyRumcajs added this pull request to the merge queue Aug 12, 2025
Merged via the queue into main with commit 1a5897f Aug 12, 2025
52 of 70 checks passed
@LesnyRumcajs LesnyRumcajs deleted the dependabot/github_actions/actions/checkout-5 branch August 12, 2025 08:13
LesnyRumcajs added a commit that referenced this pull request Aug 13, 2025
@LesnyRumcajs
Revert "chore(deps): bump actions/checkout from 4 to 5 (#5927)"
11a02f3 
This reverts commit 1a5897f.
@coderabbitai coderabbitai bot mentioned this pull request Aug 13, 2025
Merged
4 tasks
github-merge-queue bot pushed a commit that referenced this pull request Aug 13, 2025
@LesnyRumcajs
Revert "chore(deps): bump actions/checkout from 4 to 5 (#5927)" (#5929)
88d31cc
@coderabbitai coderabbitai bot mentioned this pull request Oct 13, 2025
Merged
@coderabbitai coderabbitai bot mentioned this pull request Nov 24, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@hanabi1224 hanabi1224 hanabi1224 approved these changes

@LesnyRumcajs LesnyRumcajs LesnyRumcajs approved these changes

@sudo-shashank sudo-shashank Awaiting requested review from sudo-shashank sudo-shashank is a code owner automatically assigned from ChainSafe/forest

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hanabi1224 @LesnyRumcajs