chore: update GitHub actions in CI workflows #908
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* remove sdk/tests (selfxyz#622) * remove sdk/tests * chore: update yarn.lock --------- Co-authored-by: Ayman <[email protected]> * fix: add range check on paddedInLength of shaBytesDynamic (selfxyz#623) * fix ci (selfxyz#626) * implement self uups upgradeable (selfxyz#592) * implement self uups upgradeable * small changes in identityVerificationHubImplV2 * delete aderyn.toml * chore: add custom verifier * chnage return output * feat: use self structs and a Generic output struct * feat: add userIdentifier, nullifier, forbiddencountries to returned output * add root view functions from registry * fix: build and compilation errors * add userDefined data into selfVerificationRoot * "resolve conflicts" * fix compilation problem * fix how to register verification config * test: CustomVerifier * fix verification root and hub integration * add scope check in hub impl * replace poseidon hash to ripemd+sha256 * add todo list * feat: refactor and add test cases for generic formatter * add performUserIdentifierCheck in basicVerification * change how to handle additionalData and fix stack too deep * start adding test codes * fix dependency problems in monorepo * fix: forbidden countries (selfxyz#612) LGTM! * able to run test code * pass happy path * delete unused codes * change error code name, add caller address validation and add scripts to run test and build in monorepo * add all test cases in vcAndDisclose flow * remove comment out * chore: use actual user identifier outputs * success in registration tests * cover all cases * pass contractVersion instead of circuitVersion * fix disclose test * chore: add natspecs for ImplHubV2, CustomVerifier and GenericFormatter * change val name and remove unused lines * add val name change * remove userIdentifier from return data * feat: use GenericDiscloseOutput struct in verfication hook fix test cases for user identifier * chore: change the function order for Hub Impl V2 (selfxyz#625) * fix nat specs * add nat spec in SelfStructs --------- Co-authored-by: Ayman <[email protected]> Co-authored-by: Nesopie <[email protected]> * prettier (selfxyz#629) * CAN auth - android (selfxyz#613) * add missed files * add NFCMethodSelectionScreen * bump android build --------- Co-authored-by: Justin Hernandez <[email protected]> * feat: add MRZ correction method to NFCMethodSelectionScreen (selfxyz#627) * add npm auth token env (selfxyz#632) * bump sdk version (selfxyz#633) * publish npm package when merging on dev * bump common sdk version * replace yarn publish by npm publish * update common package version * Simplify dev mode gesture (selfxyz#635) * Simplify developer mode gesture * Enable dev mode on MockData screen with five taps * add build smt function to common sdk * update vc_and_disclose_id test (dev branch) (selfxyz#641) * fix: vc_and_disclose_id test * chore: yarn prettier * Show modal on NFC scan error (selfxyz#642) * Add help button and error modal actions * fix the screen management * yarn nice * Bump build v2.5.4: ios 132; android 71 (selfxyz#631) * bump version and build numbers * remove tamagui/toast * fix marketing version * fix: update TD1 and TD3 checks (selfxyz#643) * bum yarn.lock * Bump build: ios 133; android 72 and build fixes (selfxyz#654) * update gesture version and bump android build * bump and fix ios build * update lock files * fixes * fix fotoapparat library source * Update example contracts to include EUID usage (selfxyz#656) * refactor: update HappyBirthday contract to V2 with support for E-Passport and EUID cards, introduce bonus multipliers, and enhance verification logic * refactor: update Airdrop contract to V2 with support for E-Passport and EU ID Card attestations * refactor: remove BASIS_POINTS constant from Airdrop contract * feat: introduce SelfIdentityERC721 contract for issuing NFTs based on verified identity credentials, replacing SelfPassportERC721 * fix: update verification functions in Airdrop, HappyBirthday, and SelfIdentityERC721 contracts to use customVerificationHook * cherry pick commit from add-test-self-verification... * block non-dev pr to main branch * audit fixes (selfxyz#645) * merge dev branch into main (selfxyz#624) * remove sdk/tests (selfxyz#622) * remove sdk/tests * chore: update yarn.lock --------- Co-authored-by: Ayman <[email protected]> * fix: add range check on paddedInLength of shaBytesDynamic (selfxyz#623) * fix ci (selfxyz#626) --------- Co-authored-by: Ayman <[email protected]> Co-authored-by: Vishalkulkarni45 <[email protected]> * update contracts (selfxyz#628) * remove sdk/tests (selfxyz#622) * remove sdk/tests * chore: update yarn.lock --------- Co-authored-by: Ayman <[email protected]> * fix: add range check on paddedInLength of shaBytesDynamic (selfxyz#623) * fix ci (selfxyz#626) * implement self uups upgradeable (selfxyz#592) * implement self uups upgradeable * small changes in identityVerificationHubImplV2 * delete aderyn.toml * chore: add custom verifier * chnage return output * feat: use self structs and a Generic output struct * feat: add userIdentifier, nullifier, forbiddencountries to returned output * add root view functions from registry * fix: build and compilation errors * add userDefined data into selfVerificationRoot * "resolve conflicts" * fix compilation problem * fix how to register verification config * test: CustomVerifier * fix verification root and hub integration * add scope check in hub impl * replace poseidon hash to ripemd+sha256 * add todo list * feat: refactor and add test cases for generic formatter * add performUserIdentifierCheck in basicVerification * change how to handle additionalData and fix stack too deep * start adding test codes * fix dependency problems in monorepo * fix: forbidden countries (selfxyz#612) LGTM! * able to run test code * pass happy path * delete unused codes * change error code name, add caller address validation and add scripts to run test and build in monorepo * add all test cases in vcAndDisclose flow * remove comment out * chore: use actual user identifier outputs * success in registration tests * cover all cases * pass contractVersion instead of circuitVersion * fix disclose test * chore: add natspecs for ImplHubV2, CustomVerifier and GenericFormatter * change val name and remove unused lines * add val name change * remove userIdentifier from return data * feat: use GenericDiscloseOutput struct in verfication hook fix test cases for user identifier * chore: change the function order for Hub Impl V2 (selfxyz#625) * fix nat specs * add nat spec in SelfStructs --------- Co-authored-by: Ayman <[email protected]> Co-authored-by: Nesopie <[email protected]> * prettier (selfxyz#629) --------- Co-authored-by: Ayman <[email protected]> Co-authored-by: Vishalkulkarni45 <[email protected]> Co-authored-by: nicoshark <[email protected]> Co-authored-by: Nesopie <[email protected]> * fix: vc_and_disclose_id test (selfxyz#640) * fix: vc_and_disclose_id test * chore: yarn prettier * fix: check if a config id exists * chore: change the function where the config not set verification is happening * fix: add await * feat: add getConfigId function in SelfVerificationRoot (selfxyz#650) * feat: add getConfigId function in SelfVerificationRoot * update comment --------- Co-authored-by: motemotech <[email protected]> * chore: fix ofac end index in eu id cards * chore: fix tests * fix: example contracts and tests --------- Co-authored-by: turnoffthiscomputer <[email protected]> Co-authored-by: Vishalkulkarni45 <[email protected]> Co-authored-by: nicoshark <[email protected]> * Update deployment module for Identity Verification Hub V2 with detailed documentation and library linkage for CustomVerifier. Update initialization process to reflect changes in V2 implementation, ensuring proper setup for proxy deployment. (selfxyz#658) * publish npm-package (selfxyz#651) * App/eu id updates (selfxyz#638) * fix build issues * generate disclosure proof with euids * generate disclosure proof with euids * Eu id updates 2 (selfxyz#648) * update vc_and_disclose_id test (dev branch) (selfxyz#641) * fix: vc_and_disclose_id test * chore: yarn prettier * Show modal on NFC scan error (selfxyz#642) * Add help button and error modal actions * fix the screen management * yarn nice * Bump build v2.5.4: ios 132; android 71 (selfxyz#631) * bump version and build numbers * remove tamagui/toast * fix marketing version * fix: update TD1 and TD3 checks (selfxyz#643) * bum yarn.lock * add version and user defined data --------- Co-authored-by: Vishalkulkarni45 <[email protected]> Co-authored-by: Justin Hernandez <[email protected]> Co-authored-by: Seshanth.S🐺 <[email protected]> * remove the mock user define data * get the useridentifier as a hash from the user defined data * chore: add version and userDefinedData * feat: use the version in register / dsc proofs as well * update calculateUserIdentifierHash * yarn nice * refactor: consolidate user context data handling and update payload structure * fix typing issues on sha1 * remove console.log(sha1) * fix sha1 import * refactor: streamline userDefinedData handling and adjust payload type for circuit * refactor: update sha1 usage and enhance logging in calculateUserIdentifierHash * yarn nice * yarn lint common * use ts-ignore for sha1 import * fix app ci tests * fix typing issue * remove unused ts-ignore * cast uuid before calling generateinputs * bump qrcode version * add tsup on the qrcode sdk * fix: exports on selfxyz/qrcode * update how we define config.version * fix yarn imports * yarn format --------- Co-authored-by: Vishalkulkarni45 <[email protected]> Co-authored-by: Justin Hernandez <[email protected]> Co-authored-by: Seshanth.S🐺 <[email protected]> Co-authored-by: Ayman <[email protected]> * Hotfix contract compile error (selfxyz#660) * Fix previous rebase error * Refactor deployment module for Identity Verification Hub V2. * Fix/sdk (selfxyz#652) * fix: sdk build configs * chore: SelfBackendVerifier (WIP) * feat: add custom verification * feat: consider destination chain in user defined data * chore: export attestation id * chore: export attestation id * chore: export config storage * chore: don't throw an error if the proof is not valid * chore: trim abi and rm typechain types * refactor * chore: rm unnecessary exports * 📝 Add docstrings to `fix/sdk` (selfxyz#653) Docstrings generation was requested by @remicolin. * selfxyz#652 (comment) The following files were modified: * `sdk/core/src/utils/hash.ts` * `sdk/core/src/utils/proof.ts` * `sdk/core/src/utils/utils.ts` Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * review fixes * chore: fix package.json cjs types * chore: add minor changes to checks * feat: add InMemoryConfigStore, allIds constant and verificationResult type * chore: export Verification config * feat: change the verification config types * fix: throw issues early if verification config is null * fix: update yarn.lock file * chore: lint * fix: rm ts expect error directive * fix: contract tests * use excluded countries instead forbidden countries list * chore: change types in constnats --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Update npm-publish workflow and bump core package version to 1.0.0 (selfxyz#661) * update import * Update get verification config visibility (selfxyz#664) * Update deployment module for Identity Verification Hub V2 to correct file paths and module name for deployment commands. * Add troubleshooting documentation for verification issues in deployHubV2.ts. Include manual verification steps and common failure reasons to assist users during deployment. * Change visibility of getVerificationConfigV2 function from internal to public in IdentityVerificationHubImplV2 contract to allow external access. * Apply BUSL v1.1 license headers to app (selfxyz#665) * Add BSL license headers to app sources * prettier * fix license reference - https://spdx.org/licenses/BUSL-1.1.html * bump build: android 73 (selfxyz#659) * Contracts/deploy staging (selfxyz#668) * update scripts * deploy vc and disclose id * fix the deployment scripts on staging * update yarn.lock * bump ios build and version (selfxyz#669) * configure coderabbitai (selfxyz#670) * tweak coderabbit * bump * more thorough test spec * Apply BSL to app codebase (selfxyz#639) * Clean up root license wording * Simplify SPDX header * simplify license and rename BSL to BUSL * fix merge issues * fix missing method --------- Co-authored-by: Justin Hernandez <[email protected]> * SEL-423 apply xcode build suggestions (selfxyz#671) * apply recommended app settings from xcode * stick to portrait orientation and update target settings * remove app clip references * Circuit audit fixes (selfxyz#644) * feat: add range checks before use of LessEqThan and SelectSubArray * fix: Num2Bits_strict to constrain virtualKey * bump core version * bump core version and fix ci * chore: use npm_auth_token in yarnrc * chroe: rm yarnrc changes * chore: update npm publish * chore: run npm publish manually * chore: change hub contract address (selfxyz#675) * Update npm-publish.yml * chore: use proper secret when publishing * feat: enable publishing if workflow was triggered manually * Contracts/update verifier (selfxyz#673) * update hardhat config * update vc and disclose verifier * update vc and disclose verifier script and run it * update test self verification root * update verifier * bump sdk version and use new hub address * chore: update zk-kit binary merkle root dep (selfxyz#674) * refactor deployment scripts (selfxyz#678) * feat: add register eu id instances (selfxyz#682) * feat: add register eu id instances * feat: add new instances * chore: update scripts * chore: fix sig alg * chore: rm circuits --------- Co-authored-by: Ayman <[email protected]> Co-authored-by: Vishalkulkarni45 <[email protected]> Co-authored-by: nicoshark <[email protected]> Co-authored-by: Nesopie <[email protected]> Co-authored-by: Seshanth.S🐺 <[email protected]> Co-authored-by: Justin Hernandez <[email protected]> Co-authored-by: Justin Hernandez <[email protected]> Co-authored-by: Kevin Lin <[email protected]> Co-authored-by: kevinsslin <[email protected]> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: Eric Nakagawa <[email protected]>
Contributor
WalkthroughAll affected GitHub Actions workflows update actions/checkout from v4 to v5. No other steps, triggers, environments, or control flow were modified. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~6 minutes Possibly related PRs
Suggested labels
Poem
Tip 🔌 Remote MCP (Model Context Protocol) integration is now available!Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats. ✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
Status, Documentation and Community
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (4)
.github/workflows/artifacts.yml (1)
23-23: Optional: Pin to commit SHA to mitigate action-supply-chain risks.Consider pinning actions/checkout to a specific commit SHA and letting Dependabot manage updates. This is particularly worthwhile on self-hosted runners.
.github/workflows/npm-publish.yml (2)
116-116: Remove redundant second checkout in publish-common.There are two consecutive checkout steps in the same job; the second is unnecessary and adds network time.
Apply this diff to drop the duplicate:
- uses: actions/checkout@v5 - - uses: actions/checkout@v5 - name: Install Dependencies uses: ./.github/actions/yarn-install
21-21: Optional: Pin checkout@v5 to a commit SHA across all publish jobs.Pinning improves reproducibility and protects against tag retargeting. I can generate a patch once you confirm the desired v5.x.y.
Also applies to: 50-50, 80-80, 110-110, 116-116
.github/workflows/contracts.yml (1)
29-29: Second checkout is likely redundant — remove unless you need a fresh working tree.The job performs another checkout right after setup-node with no intervening changes that modify the workspace. Dropping it saves time and avoids rate limits.
Apply this diff:
- name: Set Node.js 20.x uses: actions/setup-node@v4 with: node-version: 20 - - uses: actions/checkout@v5 - name: Install Dependencies uses: ./.github/actions/yarn-install
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (7)
.github/workflows/app.yml(3 hunks).github/workflows/artifacts.yml(1 hunks).github/workflows/circuits.yml(1 hunks).github/workflows/contracts.yml(1 hunks).github/workflows/general-checks.yml(3 hunks).github/workflows/mobile-deploy.yml(2 hunks).github/workflows/npm-publish.yml(4 hunks)
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-07-14T09:03:08.292Z
Learnt from: aaronmgdr
PR: selfxyz/self#763
File: app/.github/workflows/test-coverage.yml:0-0
Timestamp: 2025-07-14T09:03:08.292Z
Learning: Node.js 22 is supported by actions/setup-nodev4 and has been in Active LTS since October 2024. It works on Linux, macOS, and Windows runners (Windows issues were resolved after version 22.8.0).
Applied to files:
.github/workflows/npm-publish.yml.github/workflows/contracts.yml
🔇 Additional comments (11)
.github/workflows/mobile-deploy.yml (2)
57-57: Upgrade to actions/checkout@v5 looks good.No workflow logic change, just the action bump. Safe and aligns with the PR scope.
370-370: Upgrade to actions/checkout@v5 (Android job) is correct.Consistent with the repo-wide update; no behavioral changes expected here.
.github/workflows/artifacts.yml (1)
23-23: Checkout bumped to v5 — LGTM.Matches the PR intent; rest of the build remains unchanged.
.github/workflows/npm-publish.yml (4)
21-21: Detect-changes: checkout@v5 with fetch-depth=2 — good call.Depth 2 is appropriate for HEAD^ comparisons used below.
50-50: publish-core: checkout@v5 — looks good.
80-80: publish-qrcode: checkout@v5 — looks good.
110-110: publish-common: first checkout@v5 — OK..github/workflows/contracts.yml (1)
23-23: First checkout@v5 — LGTM..github/workflows/general-checks.yml (3)
9-9: lint: checkout@v5 — good.
18-18: type-check: checkout@v5 — good.
27-27: test-common: checkout@v5 — good.
| runs-on: macos-14 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v5 |
Contributor
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
All checkouts bumped to v5 — consider removing redundant checkout and pinning to SHA
The version bumps look good. A few optional cleanups:
- Build job has two checkout steps; if the second is not strictly needed post-Xcode, remove it to save time. If it is needed to reset the tree, add clean: true.
- Pin actions/checkout to the v5.0.0 commit SHA for supply-chain hardening.
- Add explicit job/workflow permissions (contents: read).
- If any step needs tags/long history (e.g., embedding git metadata), set fetch-depth: 0; otherwise keep shallow.
To remove the redundant checkout (if unnecessary):
- - uses: actions/checkout@v5
- name: Install Mobile Dependencies
uses: ./.github/actions/mobile-setupIf you do need the second checkout, ensure a clean working tree:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v5
+ with:
+ clean: true
+ # fetch-depth: 0 # only if you need tags/history
+ persist-credentials: falseOutside the changed lines (job-level permissions example):
jobs:
build:
permissions:
contents: read
runs-on: macos-14
steps:
- uses: actions/checkout@v5
# ...Pin to immutable commit SHA:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@<v5.0.0_commit_sha>Run this web query to pull the official v5.0.0 commit SHA and confirm any breaking changes:
Also applies to: 35-35, 48-48, 56-56
🌐 Web query:
Provide the commit SHA for actions/checkout v5.0.0 and list any noteworthy changes/deprecations from v4 to v5 relevant to typical CI (fetch-depth defaults, token handling, submodules behavior).
💡 Result:
- Commit SHA for actions/checkout v5.0.0 (full): 08c6903cd8c0fde910a37f88322edcfb5dd907a8. (github.com)
Noteworthy changes / deprecations (v4 → v5) relevant to typical CI
-
What changed in v5
- The action’s runtime was bumped (now built to run on Node.js 24). (github.com)
- Minimum compatible runner version: v2.327.1 — make sure your self-hosted runners or runner image meet or exceed this. (github.com)
-
Defaults that matter to CI (no behavioral change vs v4)
- fetch-depth: default is still 1 (i.e., a shallow checkout of the single commit). If you need full history/tags set fetch-depth: 0. (github.com)
- token / credentials (persist-credentials): token default remains ${{ github.token }} and persist-credentials default remains true (the action configures the token/SSH key into local git config by default). For security, many CI workflows explicitly set persist-credentials: false and restrict GitHub token permissions. (github.com)
- submodules: behavior remains the same — submodules: false by default; you can set submodules: true or recursive; when no ssh-key is provided, [email protected]: URLs are converted to HTTPS. Private submodules still require appropriate credentials (PAT/SSH key) to be supplied. (github.com)
Summary / recommendation
- v5’s release is primarily a runtime bump and raises the minimum runner; it did not change the common defaults you rely on (fetch-depth, token persistence, submodules). If you rely on full history, private submodules, or want to avoid persisting credentials into .git/config for security, continue to explicitly set fetch-depth, submodules/ssh-key or token, and persist-credentials as you do today. (github.com)
If you want, I can:
- paste the exact README snippets that show the defaults from the v5 tag, or
- check whether any later patch (v5.x) changed defaults after v5.0.0.
Citations:
- 1: actions/checkout@08c6903
- 2: https://github.com/actions/checkout/releases/tag/v5.0.0
- 3: https://github.com/actions/checkout/releases/tag/v5.0.0
- 4: https://github.com/actions/checkout/tree/08c6903cd8c0fde910a37f88322edcfb5dd907a8
- 5: https://github.com/actions/checkout/tree/08c6903cd8c0fde910a37f88322edcfb5dd907a8
- 6: https://github.com/actions/checkout/tree/08c6903cd8c0fde910a37f88322edcfb5dd907a8
- 7: https://github.com/actions/checkout/releases/tag/v5.0.0
Action: Pin checkout to v5 SHA, remove or clean redundant checkout, and add job permissions
Verified v5.0.0 commit SHA: 08c6903cd8c0fde910a37f88322edcfb5dd907a8. v5 is a runtime bump (Node.js 24) and requires runner >= v2.327.1; defaults (fetch-depth=1, persist-credentials=true, submodules=false) are unchanged.
Files/locations:
- .github/workflows/app.yml — lines: 22, 35, 48, 56
Suggested changes (apply to each checkout use-site):
If the second checkout is redundant — remove it:
- - uses: actions/checkout@v5
- name: Install Mobile Dependencies
uses: ./.github/actions/mobile-setupIf you need the second checkout to reset the tree — pin and ensure a clean working tree:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+ with:
+ clean: true
+ persist-credentials: false
+ # fetch-depth: 0 # enable only if you need full history/tagsPin all checkouts to the immutable commit SHA:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8Add job-level permissions (example):
jobs:
build:
permissions:
contents: read
runs-on: macos-14
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
# ...Notes:
- Keep fetch-depth: 0 only if you truly need history/tags (CI speed/security tradeoff).
- persist-credentials: false is recommended to avoid exposing the token in .git/config.
- If you use private submodules or need tags/history, ensure credentials and fetch-depth are set appropriately.
- Verify runner images/self-hosted runners meet minimum v2.327.1.
| environment: development | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v5 |
Contributor
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Checkout upgraded to v5 — looks good; consider pin-to-SHA and least-privilege perms
Nice, straightforward bump to actions/checkout@v5.
- Security: Consider pinning to the v5.0.0 commit SHA instead of the moving major tag.
- Least privilege: Add explicit permissions to the job/workflow (contents: read).
- If you rely on tags/longer history (e.g., versioning), set fetch-depth: 0; otherwise keep shallow for speed.
Apply if desired:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v5
+ with:
+ # Set to 0 only if tags/history are needed for your steps
+ # fetch-depth: 0
+ persist-credentials: falseOutside this line (job-level permissions):
jobs:
run_circuit_tests:
permissions:
contents: read
runs-on: ubuntu-latest
# ...To safely pin to the immutable commit for v5.0.0, fetch the official SHA and replace the tag:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@<v5.0.0_commit_sha>Run this web query to retrieve the official v5.0.0 commit SHA from GitHub:
🌐 Web query:
What is the official commit SHA for actions/checkout v5.0.0, and are there any breaking changes or deprecations compared to v4?
💡 Result:
The official commit SHA for actions/checkout v5.0.0 is 08c6903b48a2e7e2c3c2be1663d5936ae65f3b8f[5].
You can reference v5.0.0 in your workflow as:
uses: actions/checkout@08c6903b48a2e7e2c3c2be1663d5936ae65f3b8for simply with the semver tag:
uses: actions/checkout@v5which currently resolves to v5.0.0.
Breaking changes and deprecations from v4 to v5:
As of August 2025, the official documentation and changelog for v5 are not widely indexed. However, based on available documentation and usage notes[10][5][6]:
- No critical breaking changes are explicitly documented in the indexed sources as of this date. Usage examples, core options, and default behaviors (such as fetch-depth, submodule handling, and authentication) remain consistent between v4 and v5[10][6].
- All existing parameters from v4 (e.g.,
ref,token,fetch-depth,lfs,submodules,set-safe-directory, andpersist-credentials) continue to be supported in v5, with the same default values and behaviors[6][10]. - Use of the full commit SHA for action references is required: GitHub Actions no longer supports short SHAs for referencing actions, a security measure in place since 2021[3]. Always use tags (like
v5) or the full SHA[3]. - Authentication and permissions recommendations: There are no changes from v4; using a
GITHUB_TOKENor a personal access token (PAT) is still the required method for push operations[4][10]. - No new major features, removals, or input deprecations have been announced via the official repo or Spacelift documentation as of mid-2025[6][10].
Suggested Actions If Migrating from v4:
- Review your workflow file to ensure you are not referencing the action using a short SHA[3].
- No other action should be required unless you rely on unindexed, unofficial, or breaking changes not covered in the official migration notes.
If you require authoritative confirmation of breaking changes for enterprise/compliance use, consult the actions/checkout repository release notes directly for any updates after v5.0.0, as there may be future revisions or clarifications not reflected in currently indexed resources.
Citations:
- 1: Unexpected Results from Checkout for the Commit Hash actions/checkout#198
- 2: https://github.com/actions/github-script
- 3: https://github.blog/changelog/2021-01-21-github-actions-short-sha-deprecation/
- 4: https://github.com/stefanzweifel/git-auto-commit-action
- 5: https://github.com/actions/checkout/actions/runs/16880287745
- 6: https://spacelift.io/blog/github-actions-checkout
- 7: https://github.com/marketplace/actions/commit-hash
- 8: https://github.com/marketplace/actions/github-script
- 9: https://schnerring.net/blog/checking-out-code-committed-within-the-same-github-actions-workflow-run/
- 10: https://github.com/actions/checkout
Fix: pin actions/checkout@v5, restrict permissions, and avoid persisting credentials
I checked: actions/checkout v5.0.0 SHA is 08c6903b48a2e7e2c3c2be1663d5936ae65f3b8f, and there are no documented breaking changes vs v4. Apply the small hardening changes below.
Files to update
- .github/workflows/circuits.yml — checkout step (around line 25)
- .github/workflows/circuits.yml — job-level permissions for the workflow job that runs the circuit tests
Replace checkout step (pin to immutable SHA, disable credential persistence; keep fetch-depth shallow unless you need tags/history):
- - uses: actions/checkout@v5
+ - uses: actions/checkout@08c6903b48a2e7e2c3c2be1663d5936ae65f3b8f
+ with:
+ # Set to 0 only if tags/history are needed for your steps
+ # fetch-depth: 0
+ persist-credentials: falseAdd least-privilege permissions at job (or workflow) level — example for the job named run_circuit_tests:
jobs:
run_circuit_tests:
permissions:
contents: read
runs-on: ubuntu-latest
# ...Reasoning (short): pinning to the full SHA prevents unexpected changes if the tag is moved; setting persist-credentials: false avoids leaking GITHUB_TOKEN to third-party actions; restricting contents: read applies least privilege for checkout-only workflows.
🤖 Prompt for AI Agents
In .github/workflows/circuits.yml around line 25, the checkout step should be
hardened and the job should be given least-privilege permissions: pin
actions/checkout to the immutable commit SHA noted (v5.0.0 SHA
08c6903b48a2e7e2c3c2be1663d5936ae65f3b8f), set persist-credentials: false to
avoid leaking GITHUB_TOKEN, and keep fetch-depth shallow unless deeper
history/tags are required; also add job-level permissions for the
run_circuit_tests job (permissions: contents: read) so the workflow only has
read access to the repository contents.
| xcode-version: "16.2" | ||
|
|
||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v5 |
Contributor
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Optional: Pin checkout to a commit SHA for supply-chain hardening.
To prevent tag-hijacking and ensure reproducible CI, consider pinning actions/checkout to its commit SHA (and optionally keep a comment with the human-friendly version). I can provide an automated script to fetch the right SHA across all workflows.
Run to see current v5 SHA and all occurrences:
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "actions/checkout@v5 current tag SHA:"
git ls-remote https://github.com/actions/checkout refs/tags/v5 | awk '{print $1" refs/tags/v5"}'
echo
echo "Occurrences of checkout@v5 in workflows:"
rg -nP -C2 --type=yaml 'uses:\s*actions/checkout@v5' .github/workflowsLength of output: 6249
Pin actions/checkout@v5 to a commit SHA (supply-chain hardening)
Resolved v5 tag SHA: 08c6903cd8c0fde910a37f88322edcfb5dd907a8 — replace all uses of actions/checkout@v5 with the pinned SHA.
Files/locations to update:
- .github/workflows/mobile-deploy.yml — line 57 (also line 370)
- .github/workflows/npm-publish.yml — lines 21, 50, 80, 110, 116
- .github/workflows/contracts.yml — lines 23, 29
- .github/workflows/circuits.yml — line 25
- .github/workflows/general-checks.yml — lines 9, 18, 27
- .github/workflows/artifacts.yml — line 23
- .github/workflows/app.yml — lines 22, 35, 48, 56
Suggested replacement (apply in each location):
-
- uses: actions/checkout@v5
-
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # pinned to actions/checkout v5
If you want, I can open a PR or provide a short script to update all workflow files automatically.
🤖 Prompt for AI Agents
.github/workflows/mobile-deploy.yml around lines 57 and 370: replace the
unpinned usage "actions/checkout@v5" with the resolved v5 commit SHA by changing
the step to use "actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8"
(apply the same pinned SHA replacement to all other workflow files/lines listed
in the review to harden the supply chain).
Member
|
@0xwitty thanks for opening this pull request. can you please re-create and open against the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updates actions/checkout@v4 to actions/checkout@v5 across CI workflows.
Upgrade to actions/checkout@v5 for improved performance and stability.
Reference:
Latest version: https://github.com/actions/checkout/releases/tag/v5.0.0
Summary by CodeRabbit