Skip to content

Bump actions/checkout from 4 to 6 in the github-actions group #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mors119 merged 1 commit into from
Jun 1, 2026
Merged

Bump actions/checkout from 4 to 6 in the github-actions group #5

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/rust.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:

steps:
- name: 📥 Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@v6
Comment on lines 36 to +37
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is the official commit SHA for the latest stable actions/checkoutv6 release, and does its README documentpersist-credentials default behavior and security implications?

💡 Result:

The latest stable release of actions/checkout as of June 1, 2026, is v6.0.2 [1]. The commit SHA for v6.0.2 is 11bd70f011116c478a87693246313203f56b7c5e. Regarding persist-credentials: - The README explicitly documents the persist-credentials input [2][3]. - Its default behavior is true, meaning the action configures the authentication token (or SSH key) with the local git config to enable authenticated git commands [2][3]. - In v6, the action has been updated to improve security: instead of storing credentials directly in .git/config, they are now stored in a separate file under $RUNNER_TEMP [2][4][3]. - While the README highlights this as "improved credential security" [2][3], it acknowledges that the token remains available to subsequent steps in the job [2]. Users who wish to disable this behavior can explicitly set persist-credentials: false [2][3].

Citations:

Pin actions/checkout and disable persisted credentials

Line 37 uses mutable actions/checkout@v6, which weakens supply-chain guarantees; hard-pin to the v6.0.2 commit SHA. Also disable credential persistence since this workflow doesn’t need authenticated git credentials for later steps.

🔐 Proposed hardening patch 
       - name: 📥 Checkout sources
-        uses: actions/checkout@v6
+        uses: actions/checkout@11bd70f011116c478a87693246313203f56b7c5e
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: 📥 Checkout sources
uses: actions/checkout@v4
uses: actions/checkout@v6
- name: 📥 Checkout sources
uses: actions/checkout@11bd70f011116c478a87693246313203f56b7c5e
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 36-37: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 37-37: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/rust.yml around lines 36 - 37, Update the "📥 Checkout
sources" step that currently uses actions/checkout@v6 to hard-pin to the v6.0.2
commit SHA and disable credential persistence; specifically replace the mutable
reference actions/checkout@v6 with the exact v6.0.2 commit SHA and add
persist-credentials: false to that checkout step so the workflow no longer
retains authenticated git credentials for later steps.


- name: 🦀 Install stable toolchain
uses: dtolnay/rust-toolchain@stable
Expand Down