chore(deps): update actions/checkout action to v6

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v4 → v6

---

Release Notes

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

v6.0.0

Compare Source

v6

Compare Source

v5.0.1

Compare Source

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in #​2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

Compare Source

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in #​2226
• Prepare v5.0.0 release by @​salmanmkc in #​2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v5

Compare Source

v4.3.1

Compare Source

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in #​2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

Compare Source

What's Changed

• docs: update README.md by @​motss in #​1971
• Add internal repos for checking out multiple repositories by @​mouismail in #​1977
• Documentation update - add recommended permissions to Readme by @​benwells in #​2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in #​2044
• Update README.md by @​nebuk89 in #​2194
• Update CODEOWNERS for actions by @​TingluoHuang in #​2224
• Update package dependencies by @​salmanmkc in #​2236
• Prepare release v4.3.0 by @​salmanmkc in #​2237

New Contributors

• @​motss made their first contribution in #​1971
• @​mouismail made their first contribution in #​1977
• @​benwells made their first contribution in #​2043
• @​nebuk89 made their first contribution in #​2194
• @​salmanmkc made their first contribution in #​2236

Full Changelog: actions/checkout@v4...v4.3.0

v4.2.2

Compare Source

• url-helper.ts now leverages well-known environment variables by @​jww3 in #​1941
• Expand unit test coverage for isGhes by @​jww3 in #​1946

v4.2.1

Compare Source

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in #​1924

v4.2.0

Compare Source

• Add Ref and Commit outputs by @​lucacome in #​1180
• Dependency updates by @​dependabot- #​1777, #​1872

v4.1.7

Compare Source

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in #​1739
• Bump actions/checkout from 3 to 4 by @​dependabot in #​1697
• Check out other refs/* by commit by @​orhantoy in #​1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in #​1776

v4.1.6

Compare Source

• Check platform to set archive extension appropriately by @​cory-miller in #​1732

v4.1.5

Compare Source

• Update NPM dependencies by @​cory-miller in #​1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in #​1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in #​1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in #​1695
• README: Suggest user.email to be 41898282+github-actions[bot]@​users.noreply.github.com by @​cory-miller in #​1707

v4.1.4

Compare Source

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in #​1692
• Add dependabot config by @​cory-miller in #​1688
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in #​1693
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in #​1643

v4.1.3

Compare Source

• Check git version before attempting to disable sparse-checkout by @​jww3 in #​1656
• Add SSH user parameter by @​cory-miller in #​1685
• Update actions/checkout version in update-main-version.yml by @​jww3 in #​1650

v4.1.2

Compare Source

• Fix: Disable sparse checkout whenever sparse-checkout option is not present @​dscho in #​1598

v4.1.1

Compare Source

• Correct link to GitHub Docs by @​peterbe in #​1511
• Link to release page from what's new section by @​cory-miller in #​1514

v4.1.0

Compare Source

• Add support for partial checkout filters

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request updates the GitHub Actions workflow to use actions/checkout@v6 instead of actions/checkout@v4 in the build job's checkout step, keeping all other workflow logic unchanged.

Changes

Workflow Action Upgrade

Layer / File(s)	Summary
Checkout action version bump .github/workflows/build.yml	The build job's "Checkout" step is updated from actions/checkout@v4 to actions/checkout@v6.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A version bump, so small and neat,
From v4 to v6, complete,
The checkout action takes its stride,
With newer features deep inside! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: updating the actions/checkout action dependency from v4 to v6.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/actions-checkout-6.x

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Around line 25-26: The checkout step using actions/checkout@v6 currently lacks
the persist-credentials setting; update the Checkout step (the
actions/checkout@v6 usage) to include persist-credentials: false so the
GITHUB_TOKEN is not persisted to the local git config for subsequent steps.
- Line 26: Replace the tag reference "uses: actions/checkout@v6" with the
corresponding full commit SHA for the actions/checkout action to prevent tag
retargeting; obtain the specific commit SHA from the actions/checkout repository
(e.g., its GitHub releases or commit history) and update the workflow entry to
use that SHA (and optionally leave a trailing comment like "# `@v6`" to indicate
the original tag version).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: b901147d-9991-43ba-8537-6a484c547862

📥 Commits

Reviewing files that changed from the base of the PR and between a0ca8ef and d1f1e90.

📒 Files selected for processing (1)

• .github/workflows/build.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

In actions/checkout v6, what is the default value of persist-credentials, and what are the recommended secure settings for workflows that do not need git push/auth after checkout?

💡 Result:

Default value (actions/checkout v6): persist-credentials defaults to true.[1] Recommended secure settings when your workflow does not need git push/auth after checkout: 1) Set with: persist-credentials: false on the actions/checkout step so the action does not configure the token/SSH key in the local git config (and thus avoids leaving credentials available for later steps after checkout).[2][1] 2) Ensure your workflow’s token permissions are least-privilege (read-only by default). GitHub notes the default GITHUB_TOKEN has extensive read/write access and recommends setting default permissions to read-only, granting write permissions only where needed.[3] Example: uses: actions/checkout@v6 with: persist-credentials: false permissions: contents: read

Citations:

• 1: https://github.com/actions/checkout/blob/main/action.yml
• 2: https://github.com/actions/checkout
• 3: https://www.aikido.dev/blog/checklist-github-actions

---

Disable persisted checkout credentials unless explicitly needed.

At Line 26, add persist-credentials: false to the actions/checkout@v6 step to prevent the GITHUB_TOKEN from persisting in the local git config for subsequent steps.

Proposed hardening diff

       - name: Checkout
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout
	uses: actions/checkout@v4
	uses: actions/checkout@v6
	- name: Checkout
	uses: actions/checkout@v6
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 25-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 26-26: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 25 - 26, The checkout step using
actions/checkout@v6 currently lacks the persist-credentials setting; update the
Checkout step (the actions/checkout@v6 usage) to include persist-credentials:
false so the GITHUB_TOKEN is not persisted to the local git config for
subsequent steps.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is the official GitHub Actions security guidance on pinning actions to full-length commit SHAs, and what is the current commit SHA for actions/checkout v6?

💡 Result:

GitHub officially recommends pinning actions to a full-length commit SHA as the primary method to ensure security and immutability [1]. This practice mitigates risks associated with tag manipulation—where a bad actor could alter a tag to point to malicious code—or repository compromise [1][2]. Because pinning to a tag (e.g., @v6) relies on a reference that can be moved or deleted, it is considered less secure than pinning to an immutable commit SHA [1][3]. Many organizations now enforce this via repository or organization-level policies, which fail workflows that use mutable tag references [1][4]. As of May 20, 2026, the current version of the actions/checkout action is v6.0.2 [5][6]. The full-length commit SHA for the v6.0.2 tag is: 44c2b7a8a4ea602854374358509873f848982cf0 [7] Note: You can always verify the SHA for any tag by running git ls-remote https://github.com/actions/checkout v6.0.2 in your local environment, or by navigating to the "Tags" section of the repository on GitHub and clicking on the specific tag to view its corresponding commit [8][9][5].

Citations:

• 1: https://docs.github.com/en/actions/reference/security/secure-use
• 2: https://gbhackers.com/compromised-github-action/
• 3: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide
• 4: https://www.romainlespinasse.dev/posts/github-actions-commit-sha-pinning/
• 5: https://github.com/actions/checkout/tags
• 6: https://github.com/actions/checkout/tree/v6.0.2
• 7: actions/checkout@v6.0.0...v6.0.2
• 8: Pin all GitHub Actions to immutable SHA commits for supply chain security github/gh-aw#5691
• 9: https://stackoverflow.com/questions/78903499/how-do-i-pin-an-action-to-a-specific-sha

---

Pin actions/checkout to a full commit SHA.

Line 26 uses a tag reference (@v6), which introduces a supply-chain risk through upstream tag retargeting. Pin to the specific commit SHA and optionally annotate the tag version in a comment.

Proposed fix

-      - name: Checkout
-        uses: actions/checkout@v6
+      - name: Checkout
+        uses: actions/checkout@44c2b7a8a4ea602854374358509873f848982cf0 # v6.0.2

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/checkout@v6
	uses: actions/checkout@44c2b7a8a4ea602854374358509873f848982cf0 # v6.0.2

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 25-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 26-26: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml at line 26, Replace the tag reference "uses:
actions/checkout@v6" with the corresponding full commit SHA for the
actions/checkout action to prevent tag retargeting; obtain the specific commit
SHA from the actions/checkout repository (e.g., its GitHub releases or commit
history) and update the workflow entry to use that SHA (and optionally leave a
trailing comment like "# `@v6`" to indicate the original tag version).