ci(deps): bump actions/checkout from 6.0.2 to 6.0.3

[dependabot]

Bumps actions/checkout from 6.0.2 to 6.0.3.

Release notes

Sourced from actions/checkout's releases.

v6.0.3

What's Changed

• Update changelog by @​ericsciple in actions/checkout#2357
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414
• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• Update changelog for v6.0.3 by @​yaananth in actions/checkout#2446

New Contributors

• @​yaananth made their first contribution in actions/checkout#2414

Full Changelog: actions/checkout@v6...v6.0.3

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.3

• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774

... (truncated)

Commits

• df4cb1c Update changelog for v6.0.3 (#2446)
• 1cce339 Fix checkout init for SHA-256 repositories (#2439)
• 900f221 fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)
• 0c366fd Update changelog (#2357)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated the GitHub Actions checkout action to a newer version across all continuous integration, testing, and deployment workflows. These routine infrastructure updates enhance system reliability and maintain current security standards across all automated build, test, validation, and deployment processes. No functional changes to user-facing features.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the pinned actions/checkout GitHub Action from version v6.0.2 to v6.0.3 across 13 workflow files in the .github/workflows/ directory. The changes include both reusable workflows (codespell, cpo-container-sync, dependabot-commit-fix, docs-build, envtest-kube, envtest-ocp, gitlint, gocacheprog-test, lint, test, verify) and direct workflow files (address-review-comments, sync-community-fork, validate-cpo-overrides). Workflows with multiple jobs that use checkout were updated in both job contexts. No workflow logic, job structure, or subsequent action behavior was modified.

Suggested reviewers

• sjenning
• enxebre
• bryan-cox

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping the actions/checkout dependency from version 6.0.2 to 6.0.3 across multiple workflow files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies GitHub Actions workflows to bump actions/checkout version; no Ginkgo test files are changed, so check is not applicable.
Test Structure And Quality	✅ Passed	Custom check requires reviewing Ginkgo test code, but PR contains only GitHub Actions workflow updates with no test files modified.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates GitHub Actions workflow files (actions/checkout v6.0.2→v6.0.3), not deployment manifests, operator code, or controllers. Check for topology-aware scheduling is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only updates GitHub Actions workflow files to bump actions/checkout; no new Ginkgo e2e tests are added, so the IPv6/disconnected network check is not applicable.
No-Weak-Crypto	✅ Passed	PR only updates actions/checkout version in GitHub Actions workflows; no weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) usage introduced or present in changes.
Container-Privileges	✅ Passed	No container or Kubernetes manifests found in PR. Changes are GitHub Actions workflow dependency updates (actions/checkout v6.0.2→v6.0.3) with no privilege-related configurations.
No-Sensitive-Data-In-Logs	✅ Passed	PR adds GitHub workflow files and scripts without exposing sensitive data in logs. Secrets use proper GitHub Actions masking; tokens in curl commands are redirected to files, not printed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/actions/checkout-6.0.3

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign csrwng for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/gocacheprog-test-reusable.yaml:
- Line 15: The workflow currently pins actions/checkout to the wrong commit SHA
(uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10) while labeling
it as v6.0.3; update the pin so the tag and SHA match by replacing the SHA with
the correct commit for v6.0.3 (9f698171ed81b15d1823a05fc7211befd50c8ae0) or
simply use the tag name (actions/checkout@v6.0.3) in the line referencing
actions/checkout to ensure consistency.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5aa87a4a-95d5-4b13-937c-8592a2d9eca6

📥 Commits

Reviewing files that changed from the base of the PR and between f13c62d and 177142e.

📒 Files selected for processing (14)

• .github/workflows/address-review-comments.yaml
• .github/workflows/codespell-reusable.yaml
• .github/workflows/cpo-container-sync-reusable.yaml
• .github/workflows/dependabot-commit-fix-reusable.yaml
• .github/workflows/docs-build-reusable.yaml
• .github/workflows/envtest-kube-reusable.yaml
• .github/workflows/envtest-ocp-reusable.yaml
• .github/workflows/gitlint-reusable.yaml
• .github/workflows/gocacheprog-test-reusable.yaml
• .github/workflows/lint-reusable.yaml
• .github/workflows/sync-community-fork.yaml
• .github/workflows/test-reusable.yaml
• .github/workflows/validate-cpo-overrides.yaml
• .github/workflows/verify-reusable.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify that the commit SHA matches the v6.0.3 tag in actions/checkout

# Fetch the commit SHA for the v6.0.3 tag from the actions/checkout repository
gh api repos/actions/checkout/git/ref/tags/v6.0.3 --jq '.object.sha'

# Expected: df4cb1c069e1874edd31b4311f1884172cec0e10

Repository: openshift/hypershift

Length of output: 105

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

PINNED_SHA="df4cb1c069e1874edd31b4311f1884172cec0e10"

echo "v6.0.3 tag -> expected object.sha"
gh api repos/actions/checkout/git/ref/tags/v6.0.3 --jq '.object.sha'

echo
echo "Find which actions/checkout tag maps to pinned SHA (top 100 tags)"
gh api repos/actions/checkout/tags --paginate --jq '.[] | {name: .name, commit: .commit.sha}' \
  | python3 - <<PY
import sys, json
pinned = "$PINNED_SHA"
hits = []
for line in sys.stdin:
    line=line.strip()
    if not line: 
        continue
    try:
        obj=json.loads(line)
    except Exception:
        continue
    if obj.get("commit","").lower()==pinned.lower():
        hits.append(obj.get("name"))
if hits:
    print("Pinned SHA matches tag(s):", ", ".join(hits))
else:
    print("Pinned SHA not found in returned tag list.")
PY

Repository: openshift/hypershift

Length of output: 251

---

Fix actions/checkout SHA pin to match v6.0.3
The v6.0.3 tag in actions/checkout resolves to 9f698171ed81b15d1823a05fc7211befd50c8ae0, but the workflow pins df4cb1c069e1874edd31b4311f1884172cec0e10 (# v6.0.3), so the tag/SHA mapping is incorrect.

- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/gocacheprog-test-reusable.yaml at line 15, The workflow
currently pins actions/checkout to the wrong commit SHA (uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10) while labeling it as
v6.0.3; update the pin so the tag and SHA match by replacing the SHA with the
correct commit for v6.0.3 (9f698171ed81b15d1823a05fc7211befd50c8ae0) or simply
use the tag name (actions/checkout@v6.0.3) in the line referencing
actions/checkout to ensure consistency.

[openshift-ci]

@dependabot[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.