chore(deps): bump actions/checkout from 5.0.1 to 6.0.2

[dependabot]

Bumps actions/checkout from 5.0.1 to 6.0.2.

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

• Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @​TingluoHuang in actions/checkout#2355
• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in actions/checkout#2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327
• Clarify v6 README by @​ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• See full diff in compare view

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configurations to use pinned dependency versions for improved build stability and reproducibility across CI/CD pipelines.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR standardizes the actions/checkout action across all CI/CD workflows by pinning the version to v6.0.2. Seven workflow files are updated: cargo-audit.yml, ci.yml, commitlint.yml, dependency-review.yml, gitleaks.yml, release.yml, and smoke.yml. The ci.yml file contains two separate checkout steps (in the build and deny jobs) that are both updated. No workflow logic, permissions, or configuration changes beyond the version pinning are present.

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• satyakwok

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is missing required template sections like Summary, Scope checklist, Checks, Linked issue, and Deploy impact; only changelog details from Dependabot are provided.	Complete the PR description using the repository template: add a summary explaining the update rationale, check appropriate scope boxes (likely 'Repo tooling' or 'Deploy script / CI / docs only'), and confirm deploy impact.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: bumping the actions/checkout dependency from v5.0.1 to v6.0.2 across all workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/actions/checkout-6.0.2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 20: Replace the mutable tag "uses: actions/checkout@v6.0.2" with the full
commit SHA for the corresponding v6.0.2 release in both CI jobs (the two
occurrences of that exact "uses: actions/checkout@v6.0.2" line); locate the
occurrences in the workflow where actions/checkout is referenced and swap the
tag for the commit SHA (matching the actions/checkout repo commit that
corresponds to v6.0.2) so the workflow is pinned immutably like the other
actions.

In @.github/workflows/gitleaks.yml:
- Line 32: Replace the mutable tag "uses: actions/checkout@v6.0.2" with an
immutable commit SHA for the actions/checkout action; locate the occurrence of
the string uses: actions/checkout@v6.0.2 in the workflow and update it to uses:
actions/checkout@<commit-sha> (the specific full git commit SHA for the
actions/checkout v6 release) so the workflow pins to an immutable reference and
avoids supply-chain drift.

In @.github/workflows/release.yml:
- Line 26: The workflow currently uses the mutable tag actions/checkout@v6.0.2;
replace that tag with the exact immutable commit SHA for the actions/checkout
repository (i.e., actions/checkout@<full-commit-sha>) so the release workflow is
pinned like the other actions; locate the actions/checkout@v6.0.2 occurrence in
the release workflow and update it to the corresponding commit SHA fetched from
the actions/checkout GitHub repo, then commit the change.

In @.github/workflows/smoke.yml:
- Line 27: Replace the mutable tag for the GitHub Action usage so the workflow
is deterministic: change the actions/checkout reference currently using
"`@v6.0.2`" to the immutable commit SHA
"de0fac2e4500dabe0009e67214ff5f5447ce83dd"; locate the actions/checkout@...
entry in the workflow (the line containing "uses: actions/checkout") and update
it to use the full commit SHA instead of the version tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 8e1c50f2-8cd2-4891-8339-2ca0606dec23

📥 Commits

Reviewing files that changed from the base of the PR and between 3e189f4 and 698abb6.

📒 Files selected for processing (7)

• .github/workflows/cargo-audit.yml
• .github/workflows/ci.yml
• .github/workflows/commitlint.yml
• .github/workflows/dependency-review.yml
• .github/workflows/gitleaks.yml
• .github/workflows/release.yml
• .github/workflows/smoke.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/ci.yml | head -60

Repository: Sentriscloud/indexer-rs

Length of output: 1973

---

🌐 Web query:

GitHub Actions security best practices mutable tag commit SHA pinning

💡 Result:

Best practice: pin every third-party GitHub Action to its full (40-hex) immutable commit SHA, not a mutable tag (and not branches like @main). GitHub states this is “the only way to use an action as an immutable release” and explains that tag-based pinning can be bypassed if a bad actor moves/deletes tags in the action’s repo.[1] Why mutable tags are risky - Version tags (e.g., @v4, @v2.0.0) are not guaranteed immutable; if the tag is moved, your workflow will start running attacker-controlled code on the next run.[1][2] - GitHub explicitly warns that even if you trust an action’s author, tags can still be moved or deleted if an attacker gains access to the action repository.[1] What to do in practice 1) Replace tags with full commit SHAs in every uses: line - Example pattern: uses: owner/repo@ (not @vX).[1] - GitHub’s secure-use guidance says pinning to a full-length commit SHA mitigates risk from compromised action repositories because the referenced content is immutable.[1] 2) Verify the SHA you pin is from the action’s own repository - GitHub recommends verifying the SHA comes from the intended action repo (not a fork) before using it.[1] 3) Enforce SHA pinning via GitHub policies (so unpinned actions fail CI) - GitHub’s changelog notes that administrators can enforce SHA pinning through the allowed actions policy; workflows that attempt to use an action that isn’t pinned will fail.[3] 4) Use Dependabot/automation to update pinned SHAs safely - GitHub notes that if you pin via tags, Dependabot can update to the latest commit for that tagged ref, which is different from pinning to a specific commit SHA.[1] - Use Dependabot/Renovate or action pinning tooling to periodically re-lock to newer commit SHAs (you still review the diffs/updates as part of your normal review process).[4] 5) Treat other workflow inputs as untrusted and limit token permissions (defense in depth) - While your question is about action pinning, broader security hardening also includes preventing injection via untrusted values and tightening permissions to reduce blast radius (e.g., avoid overly-permissive GITHUB_TOKEN usage and do not interpolate untrusted event values directly into shell commands).[5] Answer to the “mutable tag commit SHA pinning” query - Prefer: uses: @ (immutable). - Avoid: uses: @ where tags can move/delete, and avoid branches if your goal is immutability. - Then optionally enforce with GitHub policy so unpinned actions are rejected automatically.[1][3]

Citations:

• 1: https://docs.github.com/en/actions/reference/security/secure-use
• 2: https://actsense.dev/vulnerabilities/no_hash_pinning/
• 3: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
• 4: RFC: gh actions pin cli/cli#13314
• 5: https://www.aikido.dev/blog/checklist-github-actions

---

Pin actions/checkout by commit SHA in both CI jobs (Lines 20 and 51).

Both steps currently use a mutable tag (@v6.0.2). Per GitHub's security guidance, pin to the full commit SHA to ensure reproducible and tamper-resistant CI behavior. Note that other actions in this workflow (rust-toolchain, rust-cache, install-action, cargo-deny-action) already use commit SHAs; align checkout with this pattern.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 20, Replace the mutable tag "uses:
actions/checkout@v6.0.2" with the full commit SHA for the corresponding v6.0.2
release in both CI jobs (the two occurrences of that exact "uses:
actions/checkout@v6.0.2" line); locate the occurrences in the workflow where
actions/checkout is referenced and swap the tag for the commit SHA (matching the
actions/checkout repo commit that corresponds to v6.0.2) so the workflow is
pinned immutably like the other actions.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all checkout usages are immutable SHA pins (40-hex commit), not tags.
rg -nP 'uses:\s*actions/checkout@' .github/workflows \
| rg -nPv '@[0-9a-f]{40}\b'

Repository: Sentriscloud/indexer-rs

Length of output: 421

---

Use an immutable SHA pin for actions/checkout on Line 32.

@v6.0.2 is a mutable tag. Please pin to the commit SHA to avoid supply-chain drift.

🔒 Proposed fix

-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v6.0.2
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/gitleaks.yml at line 32, Replace the mutable tag "uses:
actions/checkout@v6.0.2" with an immutable commit SHA for the actions/checkout
action; locate the occurrence of the string uses: actions/checkout@v6.0.2 in the
workflow and update it to uses: actions/checkout@<commit-sha> (the specific full
git commit SHA for the actions/checkout v6 release) so the workflow pins to an
immutable reference and avoids supply-chain drift.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/release.yml | head -40

Repository: Sentriscloud/indexer-rs

Length of output: 1531

---

Pin actions/checkout to an immutable commit SHA on Line 26.

Release pipelines should avoid mutable action tags like @v6.0.2. Other actions in this workflow are already pinned to commit SHAs (e.g., docker/setup-buildx-action@8d2750c...), but actions/checkout is not. Use the exact commit SHA for consistency and to prevent supply chain risk in this production deployment pipeline.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 26, The workflow currently uses the
mutable tag actions/checkout@v6.0.2; replace that tag with the exact immutable
commit SHA for the actions/checkout repository (i.e.,
actions/checkout@<full-commit-sha>) so the release workflow is pinned like the
other actions; locate the actions/checkout@v6.0.2 occurrence in the release
workflow and update it to the corresponding commit SHA fetched from the
actions/checkout GitHub repo, then commit the change.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# First, check if the file exists and read the relevant section
if [ -f .github/workflows/smoke.yml ]; then
  echo "=== smoke.yml file found ==="
  cat -n .github/workflows/smoke.yml | head -50
else
  echo "smoke.yml not found"
fi

Repository: Sentriscloud/indexer-rs

Length of output: 1419

---

🏁 Script executed:

# Search for all actions/checkout usage across workflows
echo "=== All actions/checkout usage in workflows ==="
rg "actions/checkout" .github/workflows/ -A 1 -B 1

Repository: Sentriscloud/indexer-rs

Length of output: 1606

---

🏁 Script executed:

# Check the overall structure and count lines in smoke.yml
if [ -f .github/workflows/smoke.yml ]; then
  echo "=== smoke.yml line count ==="
  wc -l .github/workflows/smoke.yml
fi

Repository: Sentriscloud/indexer-rs

Length of output: 127

---

Pin actions/checkout to commit SHA on line 27.

Line 27 uses @v6.0.2, a mutable version tag. Use the immutable commit SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd (which corresponds to v6.0.2) for deterministic and hardened smoke runs. This aligns with the pattern already used in dependency-review.yml, commitlint.yml, and cargo-audit.yml.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/smoke.yml at line 27, Replace the mutable tag for the
GitHub Action usage so the workflow is deterministic: change the
actions/checkout reference currently using "`@v6.0.2`" to the immutable commit SHA
"de0fac2e4500dabe0009e67214ff5f5447ce83dd"; locate the actions/checkout@...
entry in the workflow (the line containing "uses: actions/checkout") and update
it to use the full commit SHA instead of the version tag.

[coderabbitai]

♻️ Duplicate comments (4)

.github/workflows/gitleaks.yml (1)

32-32: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Use immutable SHA pin instead of mutable tag.

Line 32 uses the mutable tag @v6.0.2, which creates supply-chain risk. This is inconsistent with other workflows in this PR (commitlint.yml, dependency-review.yml, cargo-audit.yml) that correctly pin to the immutable commit SHA @de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2.

🔒 Proposed fix

-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/gitleaks.yml at line 32, Replace the mutable action tag in
the gitleaks workflow: locate the uses line referencing actions/checkout@v6.0.2
and change it to the immutable commit SHA used elsewhere
(actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) optionally
preserving the human-readable tag as a trailing comment (e.g., # v6.0.2) so the
workflow consistently pins the action to the specific commit SHA.

.github/workflows/release.yml (1)

26-26: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Use immutable SHA pin for consistency and security.

Line 26 uses the mutable tag @v6.0.2. This is inconsistent with:

• Other actions in this workflow (docker/setup-buildx-action, docker/login-action, etc.) that are already pinned to commit SHAs
• Other workflows in this PR (commitlint.yml, dependency-review.yml, cargo-audit.yml) that correctly use @de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Release pipelines should use immutable references to prevent supply-chain attacks.

🔒 Proposed fix

-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 26, The actions/checkout usage
currently pins to the mutable tag `actions/checkout@v6.0.2`; update it to the
immutable commit SHA used elsewhere (e.g.,
`actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd`) to match the other
actions and prevent supply-chain risk, and optionally append a comment `#
v6.0.2` for human readability; look for the `uses: actions/checkout@v6.0.2`
entry in the release workflow and replace the tag with the corresponding SHA.

.github/workflows/smoke.yml (1)

27-27: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Use immutable SHA pin for consistency and security.

Line 27 uses the mutable tag @v6.0.2. This is inconsistent with:

• Other actions in this workflow (dtolnay/rust-toolchain, Swatinem/rust-cache) that are already pinned to commit SHAs
• Other workflows in this PR (commitlint.yml, dependency-review.yml, cargo-audit.yml) that correctly use @de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

🔒 Proposed fix

-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/smoke.yml at line 27, The workflow uses a mutable tag for
the checkout action ("uses: actions/checkout@v6.0.2"); replace that mutable tag
with the immutable commit SHA used elsewhere in the repo (the same SHA used in
other workflows, e.g. de0fac2e4500dabe0009e67214ff5f5447ce83dd) so the line
becomes a direct SHA pin; locate the string "uses: actions/checkout@v6.0.2" and
update it to the corresponding "@<commit-sha>" value to ensure consistency and
security.

.github/workflows/ci.yml (1)

20-20: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Use immutable SHA pins in both jobs for consistency and security.

Lines 20 and 51 both use the mutable tag @v6.0.2. This is inconsistent with:

• Other actions in this workflow (dtolnay/rust-toolchain, Swatinem/rust-cache, etc.) that are already pinned to commit SHAs
• Other workflows in this PR (commitlint.yml, dependency-review.yml, cargo-audit.yml) that correctly use @de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

🔒 Proposed fix for the build job

-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

🔒 Proposed fix for the deny job

-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Also applies to: 51-51

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 20, Replace both mutable tags "uses:
actions/checkout@v6.0.2" with the immutable commit SHA "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" so both jobs (the
build job and the deny job where actions/checkout is referenced) are pinned
consistently; search for the exact string "actions/checkout@v6.0.2" and update
each occurrence to the provided SHA.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/ci.yml:
- Line 20: Replace both mutable tags "uses: actions/checkout@v6.0.2" with the
immutable commit SHA "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" so both jobs (the
build job and the deny job where actions/checkout is referenced) are pinned
consistently; search for the exact string "actions/checkout@v6.0.2" and update
each occurrence to the provided SHA.

In @.github/workflows/gitleaks.yml:
- Line 32: Replace the mutable action tag in the gitleaks workflow: locate the
uses line referencing actions/checkout@v6.0.2 and change it to the immutable
commit SHA used elsewhere
(actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) optionally
preserving the human-readable tag as a trailing comment (e.g., # v6.0.2) so the
workflow consistently pins the action to the specific commit SHA.

In @.github/workflows/release.yml:
- Line 26: The actions/checkout usage currently pins to the mutable tag
`actions/checkout@v6.0.2`; update it to the immutable commit SHA used elsewhere
(e.g., `actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd`) to match the
other actions and prevent supply-chain risk, and optionally append a comment `#
v6.0.2` for human readability; look for the `uses: actions/checkout@v6.0.2`
entry in the release workflow and replace the tag with the corresponding SHA.

In @.github/workflows/smoke.yml:
- Line 27: The workflow uses a mutable tag for the checkout action ("uses:
actions/checkout@v6.0.2"); replace that mutable tag with the immutable commit
SHA used elsewhere in the repo (the same SHA used in other workflows, e.g.
de0fac2e4500dabe0009e67214ff5f5447ce83dd) so the line becomes a direct SHA pin;
locate the string "uses: actions/checkout@v6.0.2" and update it to the
corresponding "@<commit-sha>" value to ensure consistency and security.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: de908a31-7e28-4c3e-820e-0245e41992c9

📥 Commits

Reviewing files that changed from the base of the PR and between 698abb6 and b837a71.

📒 Files selected for processing (7)

• .github/workflows/cargo-audit.yml
• .github/workflows/ci.yml
• .github/workflows/commitlint.yml
• .github/workflows/dependency-review.yml
• .github/workflows/gitleaks.yml
• .github/workflows/release.yml
• .github/workflows/smoke.yml