Revert "chore(deps): bump actions/checkout from 4 to 5 (#5927)"

[LesnyRumcajs]

This reverts commit 1a5897f.

Summary of changes

Changes introduced in this pull request:

• the version bump fails the RPC checks due to them running on buildjet https://github.com/ChainSafe/forest/actions/runs/16920468387/job/47945514739?pr=5923
• issue already raised in Unable to use actions/checkout in a container without Node.js installed actions/checkout#2243
• let's bump the version only when ☝️ is resolved.

Reference issue to close (if applicable)

Closes

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Summary by CodeRabbit

• Chores
  • Updated continuous integration workflows to use a consistent checkout action version across builds, tests, linting, docs, and release pipelines.
  • Removed image metadata generation from the devnet publish workflow.
  • No changes to application features or documentation behavior.

[coderabbitai]

Walkthrough

All touched GitHub Actions workflows downgrade actions/checkout from v5 to v4. One workflow (.github/workflows/curio-devnet-publish.yml) also removes the Docker metadata step while still referencing its outputs in the build step, introducing missing-output references. No other steps or logic are modified.

Changes

Cohort / File(s)	Summary
Checkout action downgrade .github/workflows/butterflynet.yml, .github/workflows/cargo-advisories.yml, .github/workflows/checkpoints.yml, .github/workflows/docker.yml, .github/workflows/dockerfile-check.yml, .github/workflows/docs-auto-update.yml, .github/workflows/docs-check.yml, .github/workflows/docs-deploy.yml, .github/workflows/docs-required-override.yml, .github/workflows/forest.yml, .github/workflows/go-lint.yml, .github/workflows/link-check.yml, .github/workflows/lotus-api-bump.yml, .github/workflows/lotus-devnet-publish.yml, .github/workflows/release.yml, .github/workflows/release_dispatch.yml, .github/workflows/rpc-parity.yml, .github/workflows/rpc_test_repeat.yml, .github/workflows/rust-lint.yml, .github/workflows/scripts-lint.yml, .github/workflows/snapshot-parity.yml, .github/workflows/unit-tests.yml	Replace actions/checkout@v5 with actions/checkout@v4 in the specified steps; no other logic changes.
Removed Docker Meta with dangling references .github/workflows/curio-devnet-publish.yml	Downgrade checkout to v4; remove docker/metadata-action@v5 step; build step still references steps.meta.outputs.* which no longer exist.

Sequence Diagram(s)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore(deps): bump actions/checkout from 4 to 5 #5927: Modifies the same workflows to upgrade actions/checkout from v4 to v5; directly intersects with this downgrade across many files.

Suggested labels

github_actions, dependencies

Suggested reviewers

• sudo-shashank
• hanabi1224
• elmattic

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch revert-checkout-4-to-5

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (7)

.github/workflows/docs-deploy.yml (1)

31-31: Checkout downgrade is fine; pin to SHA for security and consider shallow clone options explicitly

• Pin actions/checkout to a commit SHA to reduce supply-chain risk.
• If the docs build doesn’t need git history/tags, keep default fetch-depth (1). If it does (e.g., for versioning), set fetch-depth: 0.

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@<pinned-sha> # v4
+        # Uncomment if your build requires full history/tags:
+        # with:
+        #   fetch-depth: 0

.github/workflows/lotus-devnet-publish.yml (1)

19-19: Checkout downgrade is fine; consider pinning for supply-chain hardening.
actions/checkout@v4 is correct here. Optionally pin to a specific commit SHA for defense-in-depth.

.github/workflows/docs-required-override.yml (1)

49-49: Consider pinning actions to a commit SHA for supply-chain security.
Optional: pin actions/checkout@v4 to its immutable SHA to avoid surprises from upstream tag retags.

Example:

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        # Optionally pin to a specific commit SHA
+        # uses: actions/checkout@<commit-SHA>

.github/workflows/curio-devnet-publish.yml (1)

18-20: Pin action to a commit SHA and set least-privilege permissions

• Supply-chain best practice: pin actions to a commit SHA.
• Explicitly grant only the permissions needed for GHCR pushes (packages: write, contents: read).

Add this at the job level:

permissions:
  contents: read
  packages: write

And pin checkout to a commit SHA (replace with the official v4 commit):

uses: actions/checkout@<sha> # v4

If you want, I can fetch the current recommended v4 SHA for you.

.github/workflows/release.yml (2)

21-21: Add explicit permissions and pin actions

• For the Build job, uploading releases requires contents: write.
• Pin actions to commit SHAs.

Add to the job:

permissions:
  contents: write

And pin:

uses: actions/checkout@<sha> # v4

---

59-59: Tighten permissions for publish job and pin action

• cargo publish uses your crates.io token; GITHUB_TOKEN only needs contents: read.
• Pin checkout to a commit SHA.

Add to the job:

permissions:
  contents: read

And pin:

uses: actions/checkout@<sha> # v4

.github/workflows/unit-tests.yml (1)

44-44: Optional hardening: explicit permissions and pinning

• Unit test jobs typically only need read access.
• Pin actions to commit SHAs.

At the workflow or job level:

permissions:
  contents: read

And pin:

uses: actions/checkout@<sha> # v4

If any tests rely on git history or tags, set fetch-depth: 0:

with:
  fetch-depth: 0

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6b53690 and 11a02f3.

📒 Files selected for processing (23)

• .github/workflows/butterflynet.yml (1 hunks)
• .github/workflows/cargo-advisories.yml (1 hunks)
• .github/workflows/checkpoints.yml (1 hunks)
• .github/workflows/curio-devnet-publish.yml (1 hunks)
• .github/workflows/docker.yml (3 hunks)
• .github/workflows/dockerfile-check.yml (1 hunks)
• .github/workflows/docs-auto-update.yml (1 hunks)
• .github/workflows/docs-check.yml (1 hunks)
• .github/workflows/docs-deploy.yml (1 hunks)
• .github/workflows/docs-required-override.yml (2 hunks)
• .github/workflows/forest.yml (20 hunks)
• .github/workflows/go-lint.yml (1 hunks)
• .github/workflows/link-check.yml (1 hunks)
• .github/workflows/lotus-api-bump.yml (1 hunks)
• .github/workflows/lotus-devnet-publish.yml (1 hunks)
• .github/workflows/release.yml (2 hunks)
• .github/workflows/release_dispatch.yml (2 hunks)
• .github/workflows/rpc-parity.yml (1 hunks)
• .github/workflows/rpc_test_repeat.yml (1 hunks)
• .github/workflows/rust-lint.yml (2 hunks)
• .github/workflows/scripts-lint.yml (4 hunks)
• .github/workflows/snapshot-parity.yml (1 hunks)
• .github/workflows/unit-tests.yml (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: LesnyRumcajs
PR: ChainSafe/forest#5907
File: src/rpc/methods/state.rs:523-570
Timestamp: 2025-08-06T15:44:33.467Z
Learning: LesnyRumcajs prefers to rely on BufWriter's Drop implementation for automatic flushing rather than explicit flush() calls in Forest codebase.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: Build Ubuntu
• GitHub Check: Build MacOS
• GitHub Check: cargo-publish-dry-run
• GitHub Check: tests
• GitHub Check: tests-release
• GitHub Check: All lint checks
• GitHub Check: Check
• GitHub Check: Build forest binaries on Linux AMD64
• GitHub Check: Deploy to Cloudflare Pages
• GitHub Check: Analyze (rust)
• GitHub Check: Analyze (go)

🔇 Additional comments (43)

.github/workflows/lotus-api-bump.yml (2)

14-14: Revert to actions/checkout@v4 looks good.
No functional differences in this workflow beyond the checkout version change. Safe downgrade.

---

14-14: All clear: no remaining actions/checkout@v5 or unpaired steps.meta.outputs references
Ran a repository-wide search and confirmed:

• No uses: actions/checkout@v5 occurrences
• No workflows reference steps.meta.outputs.{tags,labels} without a docker/metadata-action step

No further action required.

.github/workflows/scripts-lint.yml (1)

21-21: All checkout downgrades to v4 are consistent and safe.
No impact on subsequent steps. Good consistency across jobs.

Also applies to: 29-29, 42-42, 55-55, 77-77

.github/workflows/dockerfile-check.yml (1)

14-14: LGTM on reverting to actions/checkout@v4.
Workflow behavior remains unchanged; Docker build/run steps unaffected.

.github/workflows/docs-check.yml (1)

33-33: LGTM on checkout v4.
Docs checks remain the same; no behavioral changes expected.

.github/workflows/cargo-advisories.yml (1)

10-10: actions/checkout@v4 downgrade verified — no remaining v5 references or metadata issues

• No occurrences of actions/checkout@v5 found across workflows.
• In .github/workflows/curio-devnet-publish.yml, the meta step (id: meta) correctly defines tags and labels outputs, so downstream references are valid.

Consider pinning actions/checkout@v4 to a specific commit SHA for stronger supply-chain guarantees.

.github/workflows/link-check.yml (1)

33-33: LGTM: Checkout reverted to v4

Change is consistent with the PR’s objective; no functional impact expected for this workflow.

.github/workflows/butterflynet.yml (1)

22-22: LGTM: Checkout reverted to v4

Matches the revert scope; the rest of the pipeline remains unaffected.

.github/workflows/release_dispatch.yml (1)

25-25: LGTM: Both checkout steps reverted to v4

Revert is applied consistently in Build and Publish jobs. No other behavioral changes introduced.

Also applies to: 62-62

.github/workflows/rpc-parity.yml (1)

19-19: LGTM: Checkout reverted to v4

Aligned with the PR’s intent. No downstream steps rely on checkout v5 specifics here.

.github/workflows/docs-required-override.yml (1)

35-35: Downgrade to actions/checkout@v4 is correct and consistent with the PR’s intent.
No functional impact expected for this workflow; paths-filter behavior is unchanged.

.github/workflows/rust-lint.yml (2)

48-48: Checkout downgrade to v4 looks good.
No changes required; submodules are not used here, so default v4 behavior is fine.

---

74-74: Checkout downgrade to v4 looks good in dependencies-check.
The Ruby setup and dependency script are unaffected.

.github/workflows/go-lint.yml (1)

37-37: Checked: v4 is compatible for the Go lint pipeline.
No other step depends on checkout v5 features; safe revert.

.github/workflows/forest.yml (20)

51-51: All checkout steps moved to v4 — consistent with revert.
MacOS job unaffected; no behavior changes expected.

---

78-78: Build Ubuntu: checkout@v4 change LGTM.
No impact on caching or build steps.

---

101-101: cargo-publish-dry-run: checkout@v4 change LGTM.
No functional differences expected.

---

124-124: forest-cli-check: checkout@v4 change LGTM.
Artifacts/download steps remain valid.

---

146-146: calibnet-check: checkout@v4 change LGTM.
All subsequent steps unaffected.

---

176-176: calibnet-stateless-mode-check: checkout@v4 change LGTM.
No issues spotted.

---

202-202: calibnet-stateless-rpc-check: checkout@v4 change LGTM.
No issues spotted.

---

227-227: state-migrations-check: checkout@v4 change LGTM.
No issues spotted.

---

249-249: calibnet-wallet-check: checkout@v4 change LGTM.
No issues spotted.

---

277-277: calibnet-export-check: checkout@v4 change LGTM.
No issues spotted.

---

299-299: calibnet-export-check-v2: checkout@v4 change LGTM.
No issues spotted.

---

321-321: calibnet-no-discovery-checks: checkout@v4 change LGTM.
No issues spotted.

---

342-342: calibnet-kademlia-checks: checkout@v4 change LGTM.
No issues spotted.

---

363-363: calibnet-eth-mapping-check: checkout@v4 change LGTM.
No issues spotted.

---

387-387: db-migration-checks: checkout@v4 change LGTM.
No issues spotted.

---

420-420: local-devnet-check: checkout@v4 change LGTM.
No issues spotted.

---

467-467: local-devnet-curio-check (disabled): checkout@v4 change LGTM.
No runtime impact since job is if: false.

---

504-504: bootstrap-checks-forest: checkout@v4 change LGTM.
No issues spotted.

---

523-523: bootstrap-checks-lotus: checkout@v4 change LGTM.
No issues spotted.

---

549-549: calibnet-rpc-checks: checkout@v4 change LGTM.
No issues spotted.

.github/workflows/docker.yml (3)

57-57: Build AMD64: checkout@v4 change LGTM.
No side effects on sccache/setup-go/cargo steps.

---

100-100: Build ARM64: checkout@v4 change LGTM.
Conditional execution preserved; no functional change.

---

137-137: LGTM: Docker workflows verified – no checkout@v5 and metadata-action outputs intact

All checks passed:

• No remaining actions/checkout@v5 usages in .github/workflows.
• Every steps.meta.outputs reference in
  • .github/workflows/docker.yml
  • .github/workflows/lotus-devnet-publish.yml
  • .github/workflows/curio-devnet-publish.yml
  has a corresponding uses: docker/metadata-action@… step with id: meta.
• The single steps.metafat.outputs in .github/workflows/docker.yml is backed by a uses: docker/metadata-action@… step with id: metafat.

No further changes required.

.github/workflows/curio-devnet-publish.yml (2)

18-20: Reverting checkout to v4 looks fine

No functional concerns with actions/checkout@v4 for this workflow.

---

18-20: Verified: All workflows include docker/metadata-action
No workflows in .github/workflows reference steps.meta.outputs without a corresponding uses: docker/metadata-action@… step.

.github/workflows/release.yml (2)

21-21: Checkout downgrade to v4 is OK

No known regressions expected for this step with v4.

---

59-59: Checkout downgrade to v4 is OK

The publish job should continue to work with v4.

.github/workflows/unit-tests.yml (2)

44-44: Checkout downgrade to v4 is fine

No issues expected for test checkout with v4.

---

66-66: Checkout downgrade to v4 is fine

No issues expected for release-mode tests with v4.