Skip to content

Bump actions/checkout from 4 to 6#40

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-6
Closed

Bump actions/checkout from 4 to 6#40
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Dec 17, 2025

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 4 to 6.

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

v4.1.5

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Dec 17, 2025
@IEvangelist

Copy link
Copy Markdown
Owner

Subsumed by #51 which SHA-pins all third-party Actions to current latest stable and bumps every NuGet package (incl. those in this group). See #51 for the consolidated update + the new auto-merge workflow that handles future Dependabot PRs.

@IEvangelist IEvangelist closed this May 5, 2026
@dependabot @github

dependabot Bot commented on behalf of github May 5, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/github_actions/actions/checkout-6 branch May 5, 2026 16:13
IEvangelist added a commit that referenced this pull request May 5, 2026
…s, add Dependabot auto-merge (#51)

Three independent improvements bundled into one PR because they all touch the same supply-chain surface area:

**1. SHA-pin every third-party GitHub Action.** All `uses:` references now resolve to a 40-char commit SHA with a trailing `# v<X.Y.Z>` comment so Dependabot still tracks updates. This prevents tag-replay supply-chain attacks (an action owner can repoint a major-version float tag to a malicious commit, which would silently land in CI on the next run). Dependabot's behaviour is documented at https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot.

  Pinned versions:

  - actions/checkout            v4 -> v6.0.2 (de0fac2e4500dabe0009e67214ff5f5447ce83dd)

  - actions/setup-dotnet        v4 -> v5.2.0 (c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7)

  - actions/upload-artifact     v4 -> v7.0.1 (043fb46d1a93c77aae656e7c1c64a875d1fc6a0a)

  - github/codeql-action/{init,autobuild,analyze}  v3 -> v4 (e46ed2cbd01164d986452f91f178727624ae40d7)

**2. Bump every NuGet package to its current latest stable.** SharpCompress 0.47.0 removed the `ReaderFactory.Open`/`ArchiveFactory.Open`/`WriterFactory.Open` overloads in favour of `OpenReader`/`OpenArchive`/`OpenWriter` (https://github.com/adamhathcock/sharpcompress/blob/master/CHANGELOG.md), which required mechanical migration of two call sites in `DefaultToolCacheService` and three call sites in `ExtractionTests`. No semantic behaviour change; full managed + AOT test matrix passes (602 tests, 0 failed).

  Bumps in Directory.Packages.props:

  - Microsoft.SourceLink.GitHub                            8.0.0     -> 10.0.203

  - MinVer                                                 6.0.0     -> 7.0.0

  - Microsoft.Extensions.{DI,DI.Abstractions,Http}         10.0.1    -> 10.0.7

  - Microsoft.Extensions.Http.Resilience                   10.1.0    -> 10.5.0

  - Microsoft.NET.Test.Sdk                                 17.12.0   -> 18.5.1

  - System.Linq.Async                                      6.0.1     -> 7.0.1

  - System.Text.Json                                       9.0.0     -> 10.0.7

  - SharpCompress                                          0.40.0    -> 0.47.4 (breaking API)

  - ZstdSharp.Port                                         0.8.6     -> 0.8.8

  - Pathological.Globbing                                  9.0.0     -> 9.1.0

  - xunit.runner.visualstudio                              3.0.1     -> 3.1.5

  - coverlet.collector                                     6.0.4     -> 10.0.0

**3. Add Dependabot auto-merge workflow** at `.github/workflows/dependabot-auto-merge.yml`. Triggers on every Dependabot PR and runs `gh pr merge --auto --squash`, which queues a squash merge to fire as soon as every required status check passes. If any check fails the merge never happens and the PR stays open for manual review. Uses `dependabot/fetch-metadata@25dd0e3` (v3.1.0, SHA-pinned).

Verified: `dotnet build -c Release -m:1` 0 warn / 0 err; `dotnet test` 602 passed / 5 skipped / 0 failed across managed + AOT test matrix. The 4 stale Dependabot PRs (#38, #39, #40, #48) will get refreshed by Dependabot's next weekly run against this updated main.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant