Skip to content

chore(deps): bump actions/checkout from 5 to 6 #6261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hanabi1224 merged 1 commit into from
Nov 27, 2025
Merged

chore(deps): bump actions/checkout from 5 to 6 #6261

hanabi1224 merged 1 commit into from
Nov 27, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 24, 2025
edited by coderabbitai bot
Loading

Bumps actions/checkout from 5 to 6.

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Full Changelog: actions/checkout@v5...v5.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

V6.0.0

V5.0.1

V5.0.0

V4.3.1

V4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

v4.1.5

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Updated GitHub Actions checkout action from version 5 to version 6 across all continuous integration and deployment workflows
    • Modernized CI/CD infrastructure and platform tooling to maintain operational stability
    • Improved consistency and reliability of automated testing, building, and deployment processes

✏️ Tip: You can customize this high-level summary in your review settings.

@dependabot
chore(deps): bump actions/checkout from 5 to 6
91dc7cc 
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Nov 24, 2025
@dependabot dependabot bot requested a review from a team as a code owner November 24, 2025 19:23
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Nov 24, 2025
@dependabot dependabot bot requested review from hanabi1224 and removed request for a team November 24, 2025 19:23
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Nov 24, 2025
edited
Loading

Walkthrough

GitHub Actions workflows upgraded from actions/checkout@v5 to actions/checkout@v6 across all .github/workflows/ files. Additionally, continue-on-error: true was added to the sccache setup step in butterflynet.yml, and the GitHub App token generation step was removed from lotus-api-bump.yml.

Changes

Cohort / File(s) Summary
Checkout action upgrade (v5 → v6)
.github/workflows/cargo-advisories.yml, .github/workflows/checkpoints.yml, .github/workflows/curio-devnet-publish.yml, .github/workflows/docker-dev.yml, .github/workflows/dockerfile-check.yml, .github/workflows/docs-auto-update.yml, .github/workflows/docs-check.yml, .github/workflows/docs-deploy.yml, .github/workflows/docs-required-override.yml, .github/workflows/go-lint.yml, .github/workflows/link-check.yml, .github/workflows/lotus-devnet-publish.yml, .github/workflows/rpc-parity.yml, .github/workflows/snapshot-parity.yml		 Updated uses: actions/checkout@v5 to uses: actions/checkout@v6 in checkout steps.
Checkout action upgrade with multiple locations
.github/workflows/docker.yml, .github/workflows/forest.yml, .github/workflows/release.yml, .github/workflows/release_dispatch.yml, .github/workflows/rust-lint.yml, .github/workflows/scripts-lint.yml, .github/workflows/unit-tests.yml		 Updated uses: actions/checkout@v5 to uses: actions/checkout@v6 across multiple workflow jobs and steps within each file.
Butterflynet sccache & checkout
.github/workflows/butterflynet.yml		 Updated checkout action from v5 to v6 and added continue-on-error: true to the Setup sccache step.
Lotus API bump (checkout + token removal)
.github/workflows/lotus-api-bump.yml		 Updated checkout action from v5 to v6 and removed the entire actions/create-github-app-token@v2 step and its associated step ID reference.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

  • Attention required:
    • .github/workflows/lotus-api-bump.yml — Removal of the GitHub App token generation step may break the subsequent Pull Request creation step if it depends on that token. Verify that the Create Pull Request step either uses an alternative token source or the workflow is intentionally being disabled for this functionality.
    • .github/workflows/butterflynet.yml — Verify that continue-on-error: true on sccache setup is intentional and won't mask real failures in subsequent build steps.

Possibly related PRs

Suggested reviewers

  • hanabi1224
  • sudo-shashank
  • akaladarshi

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'chore(deps): bump actions/checkout from 5 to 6' directly and clearly summarizes the main change across all modified workflow files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch dependabot/github_actions/actions/checkout-6
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d1ec2c8 and 91dc7cc.

📒 Files selected for processing (23)
  • .github/workflows/butterflynet.yml (1 hunks)
  • .github/workflows/cargo-advisories.yml (1 hunks)
  • .github/workflows/checkpoints.yml (1 hunks)
  • .github/workflows/curio-devnet-publish.yml (1 hunks)
  • .github/workflows/docker-dev.yml (1 hunks)
  • .github/workflows/docker.yml (3 hunks)
  • .github/workflows/dockerfile-check.yml (1 hunks)
  • .github/workflows/docs-auto-update.yml (1 hunks)
  • .github/workflows/docs-check.yml (1 hunks)
  • .github/workflows/docs-deploy.yml (1 hunks)
  • .github/workflows/docs-required-override.yml (2 hunks)
  • .github/workflows/forest.yml (22 hunks)
  • .github/workflows/go-lint.yml (1 hunks)
  • .github/workflows/link-check.yml (1 hunks)
  • .github/workflows/lotus-api-bump.yml (1 hunks)
  • .github/workflows/lotus-devnet-publish.yml (1 hunks)
  • .github/workflows/release.yml (2 hunks)
  • .github/workflows/release_dispatch.yml (2 hunks)
  • .github/workflows/rpc-parity.yml (1 hunks)
  • .github/workflows/rust-lint.yml (2 hunks)
  • .github/workflows/scripts-lint.yml (5 hunks)
  • .github/workflows/snapshot-parity.yml (1 hunks)
  • .github/workflows/unit-tests.yml (2 hunks)
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2025-08-07T13:12:23.359Z 
Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5886
File: Makefile:1-1
Timestamp: 2025-08-07T13:12:23.359Z
Learning: golangci-lint version v2.3.1 exists and is a valid release that can be used in Makefiles and CI configurations. It was released after v2.3.0.

Applied to files:

  • .github/workflows/go-lint.yml
📚 Learning: 2025-08-07T13:12:23.359Z 
Learnt from: hanabi1224
Repo: ChainSafe/forest PR: 5886
File: Makefile:1-1
Timestamp: 2025-08-07T13:12:23.359Z
Learning: golangci-lint version v2.3.1 exists and was released on August 2, 2025. It is currently the latest stable version and can be used in Makefiles and CI configurations. The version follows the v2.x.x numbering scheme, not v1.x.x as I previously incorrectly stated.

Applied to files:

  • .github/workflows/go-lint.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)
  • GitHub Check: Build forest binaries on Linux AMD64
  • GitHub Check: tests
  • GitHub Check: All lint checks
  • GitHub Check: tests-release
  • GitHub Check: Deploy to Cloudflare Pages
  • GitHub Check: cargo-publish-dry-run
  • GitHub Check: Build Ubuntu
  • GitHub Check: Build MacOS
🔇 Additional comments (25)
.github/workflows/butterflynet.yml (1)

22-22: v6 upgrade is compatible; verify self-hosted runner version.

The v6 upgrade changes how credentials are persisted, storing them under $RUNNER_TEMP instead of directly in the local git config, which requires a minimum Actions Runner version of v2.329.0 for Docker container action scenarios. Since this workflow uses ubuntu-24.04-arm (self-hosted), ensure your arm runners are on v2.329.0 or later. GitHub-hosted runners auto-update, so no action needed there.

The upgrade is otherwise safe and improves security; no workflow changes are required.

.github/workflows/checkpoints.yml (1)

12-12: v6 upgrade is compatible; verify self-hosted runner version.

The v6 upgrade changes how credentials are persisted, storing them under $RUNNER_TEMP instead of directly in the local git config, which requires a minimum Actions Runner version of v2.329.0 for Docker container action scenarios. Since this workflow uses ubuntu-24.04-arm (self-hosted), ensure your arm runners are on v2.329.0 or later.

The upgrade is otherwise safe; no workflow changes needed.

.github/workflows/curio-devnet-publish.yml (1)

19-19: v6 upgrade is approved; GitHub-hosted runners auto-update.

This workflow uses ubuntu-24.04 (GitHub-hosted runners), which auto-update and are already on Runner v2.329.0+, so the v6 upgrade is fully compatible. The credential storage change in v6 is a security improvement and transparent to this workflow.

.github/workflows/rust-lint.yml (2)

48-48: v6 upgrade in lint-all job is compatible; verify self-hosted runner version.

The v6 upgrade changes how credentials are persisted, storing them under $RUNNER_TEMP instead of directly in the local git config, which requires a minimum Actions Runner version of v2.329.0 for Docker container action scenarios. The workflow uses ubuntu-24.04-arm (self-hosted), so ensure arm runners are on v2.329.0 or later.

The upgrade is otherwise safe; no workflow changes needed.

74-74: v6 upgrade in dependencies-check job is compatible; verify self-hosted runner version.

Same runner version considerations as the lint-all job above—ensure ubuntu-24.04-arm self-hosted runners are on v2.329.0 or later for Docker container scenarios.

.github/workflows/docs-check.yml (1)

33-33: v6 upgrade is compatible; verify self-hosted runner version.

The v6 upgrade changes credential storage, storing credentials under $RUNNER_TEMP instead of the local git config, which requires a minimum Actions Runner version of v2.329.0 for Docker container action scenarios. The workflow uses ubuntu-24.04-arm (self-hosted), so ensure your arm runners are on v2.329.0 or later.

The upgrade is otherwise safe; no workflow changes needed.

.github/workflows/unit-tests.yml (2)

44-44: v6 upgrade in tests job is compatible; verify self-hosted runner version.

The v6 upgrade changes credential storage to use $RUNNER_TEMP instead of the local git config, requiring a minimum Actions Runner version of v2.329.0 for Docker container action scenarios. The workflow uses ubuntu-24.04-arm (self-hosted), so ensure arm runners are on v2.329.0 or later.

The upgrade is otherwise safe; no workflow changes needed.

66-66: v6 upgrade in tests-release job is compatible; verify self-hosted runner version.

Same runner version considerations as the tests job above—ensure ubuntu-24.04-arm self-hosted runners are on v2.329.0 or later.

.github/workflows/docs-auto-update.yml (1)

13-13: v6 upgrade is compatible; verify self-hosted runner and signed commits flow.

The v6 upgrade changes how credentials are persisted, storing them under $RUNNER_TEMP instead of directly in the local git config, requiring a minimum Actions Runner version of v2.329.0 for Docker container action scenarios. Since this workflow uses ubuntu-24.04-arm (self-hosted), ensure your arm runners are on v2.329.0 or later.

This workflow includes signed commits via the GitHub App token (lines 26–38). The credential storage change persists credentials under $RUNNER_TEMP instead of in the local git config. Verify that signed commits continue to work correctly with the new credential storage location; git CLI should transparently access credentials from $RUNNER_TEMP.

.github/workflows/cargo-advisories.yml (1)

10-10: v6 upgrade is compatible; verify self-hosted runner version.

The v6 upgrade changes credential storage to use $RUNNER_TEMP instead of the local git config, requiring a minimum Actions Runner version of v2.329.0 for Docker container action scenarios. Since this workflow uses ubuntu-24.04-arm (self-hosted), ensure your arm runners are on v2.329.0 or later.

The upgrade is otherwise safe; no workflow changes needed.

.github/workflows/rpc-parity.yml (1)

19-19: Straightforward version upgrade.

The checkout action version bump is applied correctly with no configuration changes.

.github/workflows/docker-dev.yml (1)

21-21: Straightforward version upgrade with ref parameter.

The checkout upgrade is correct; the ref input parameter works identically in v6.

.github/workflows/go-lint.yml (1)

37-37: Straightforward version upgrade.

The checkout action upgrade is clean; lint operations do not depend on git credentials.

.github/workflows/snapshot-parity.yml (1)

12-12: Straightforward version upgrade.

The checkout action version bump is applied correctly.

.github/workflows/docs-required-override.yml (1)

35-35: Straightforward version upgrades.

The checkout action version bumps are applied correctly in both path-filtering jobs. No git operations beyond source checkout are performed.

Also applies to: 49-49

.github/workflows/docs-deploy.yml (1)

31-31: No git-based dependencies detected in yarn.lock—upgrade is compatible.

Verification confirms there are no git-based dependencies in yarn.lock (0 occurrences of "git+"), confirming that the workflow's yarn --immutable approach with the lock file is unaffected by credential persistence changes in actions/checkout@v6.

.github/workflows/release.yml (1)

21-21: Cargo.lock contains no git dependencies—code changes are compatible.

Verification confirms that Cargo.lock exclusively uses registry sources (crates.io). No git credentials are required for cargo publish or cargo build operations, so the checkout@v6 upgrade is safe.

.github/workflows/release_dispatch.yml (1)

25-25: The concern raised in this review comment does not apply to this codebase.

The v6 credential persistence mechanism only affects git-based cargo dependencies or registries that relied on auth tokens in .git/config. Verification confirms:

  • Zero git-based dependencies in Cargo.lock and all Cargo.toml files
  • No git operations invoked during build or publish
  • Workflow uses explicit CARGO_REGISTRY_TOKEN for publish

The upgrade to actions/checkout@v6 is safe and requires no additional changes.

Likely an incorrect or invalid review comment.

.github/workflows/lotus-devnet-publish.yml (1)

19-19: Checkout upgrade is clean. The v5→v6 upgrade is straightforward; this workflow doesn't perform git operations post-checkout or rely on git config credentials.

.github/workflows/dockerfile-check.yml (1)

14-14: Checkout upgrade looks good. No git operations or credential dependencies after checkout.

.github/workflows/scripts-lint.yml (1)

21-21: All checkout upgrades across linting jobs are clean. These are straightforward v5→v6 bumps with no git operations or credential dependencies post-checkout.

Also applies to: 29-29, 42-42, 55-55, 77-77, 88-88

.github/workflows/link-check.yml (1)

33-33: Checkout upgrade is straightforward. No post-checkout git operations; lychee action works independently of git config.

.github/workflows/forest.yml (1)

53-53: All checkout upgrades across integration test jobs are clean. These are straightforward v5→v6 bumps with no custom token handling, and post-checkout operations (artifact downloads, test scripts) don't depend on git config credentials.

Also applies to: 80-80, 106-106, 129-129, 151-151, 184-184, 210-210, 235-235, 257-257, 285-285, 307-307, 329-329, 351-351, 372-372, 394-394, 420-420, 449-449, 483-483, 530-530, 567-567, 586-586, 613-613

.github/workflows/docker.yml (1)

57-57: All checkout upgrades are clean and straightforward. No git operations or credential dependencies after checkout; Docker builds proceed normally.

Also applies to: 100-100, 137-137

.github/workflows/lotus-api-bump.yml (1)

14-14: Checkout upgrade is fine, but the AI summary is inconsistent.

The summary claims: "Removed the step that generates a GitHub App token (actions/create-github-app-token@v2)". However, lines 32–36 show this step is present and unmarked (not changed in this PR), so it remains in the workflow. The Create Pull Request step at line 42 correctly references ${{ steps.generate-token.outputs.token }} from this step.

Clarify with the team whether the token generation step should have been removed (if so, line 42's token reference needs adjustment) or whether the AI summary is simply incorrect.

Comment @coderabbitai help to get the list of available commands and usage tips.

@hanabi1224 hanabi1224 enabled auto-merge November 27, 2025 02:59
@hanabi1224 hanabi1224 added this pull request to the merge queue Nov 27, 2025
Merged via the queue into main with commit 58bd71b Nov 27, 2025
55 of 76 checks passed
@hanabi1224 hanabi1224 deleted the dependabot/github_actions/actions/checkout-6 branch November 27, 2025 03:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hanabi1224 hanabi1224 hanabi1224 approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hanabi1224