chore(deps): bump actions/checkout from 4 to 6

[dependabot]

Bumps actions/checkout from 4 to 6.

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflows to use the latest checkout action version across multiple continuous integration pipelines, improving compatibility with the latest tooling.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the actions/checkout action version across five GitHub Actions CI workflows. The cargo-deny, commitlint, dependency-review, link-check, and rust workflows each have their checkout step updated to pinned version 6.0.2, upgrading from mixed prior versions (v4 and v5). No other workflow logic, permissions, or job configuration changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• Sentriscloud/sdk-rs#22: Both PRs update actions/checkout pins in the same set of CI workflow files (cargo-deny.yml, commitlint.yml, and dependency-review.yml).

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description does not follow the repository's required template structure. It lacks the Summary, Scope, Checks, Linked issue, and Deploy impact sections specified in the template.	Restructure the description to follow the template with Summary (1-3 sentences), Scope checkboxes, Checks, Linked issue, and Deploy impact sections.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: bumping the actions/checkout dependency from version 4 to 6 across all workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/actions/checkout-6

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cargo-deny.yml:
- Line 22: The checkout action step (the line containing "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd") should explicitly
disable credential persistence to avoid leaking the GITHUB_TOKEN; update that
checkout step to include the key "persist-credentials: false" as an input under
the same step so downstream steps and third‑party actions do not receive the
token.

In @.github/workflows/commitlint.yml:
- Around line 16-18: The checkout step is currently leaving credentials in the
workspace; update the checkout action configuration (the block with "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" and the existing
"with: fetch-depth: 0") to add "persist-credentials: false" under the "with"
mapping so the action does not persist git credentials during the commitlint
job.

In @.github/workflows/dependency-review.yml:
- Line 22: Update the checkout step that uses actions/checkout (the line with
"uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd") to explicitly
set persist-credentials: false so the GITHUB_TOKEN is not persisted to
subsequent steps or artifacts; locate the checkout step in the workflow and add
the persist-credentials: false key under that step's configuration.

In @.github/workflows/link-check.yml:
- Around line 27-28: The Checkout step in the GitHub Actions workflow currently
uses actions/checkout without disabling persisted credentials; update the
Checkout job step (the step named "Checkout" that uses
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) to add
persist-credentials: false so credentials are not left in the runner after
checkout.

In @.github/workflows/rust.yml:
- Line 17: Replace the mutable GitHub Action reference "uses:
actions/checkout@v6" with a pinned commit SHA for actions/checkout and add the
security option to disable token persistence by setting "persist-credentials:
false" in the checkout step; update the checkout step (the line containing uses:
actions/checkout@v6) to use the commit SHA for the action and include the
persist-credentials: false input so credentials aren't exposed to later steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: c095c7f3-ffe4-46dd-a793-18f938a8a2a3

📥 Commits

Reviewing files that changed from the base of the PR and between 4a65eb5 and c84982f.

📒 Files selected for processing (5)

• .github/workflows/cargo-deny.yml
• .github/workflows/commitlint.yml
• .github/workflows/dependency-review.yml
• .github/workflows/link-check.yml
• .github/workflows/rust.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and read its contents
cat -n .github/workflows/cargo-deny.yml

Repository: Sentriscloud/sdk-rs

Length of output: 940

---

Add persist-credentials: false to the checkout step.

Line 22 omits persist-credentials: false, leaving the GitHub token available to downstream steps unnecessarily. This is a security risk, especially when using third-party actions.

Suggested patch

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+       with:
+         persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 22-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cargo-deny.yml at line 22, The checkout action step (the
line containing "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd") should explicitly
disable credential persistence to avoid leaking the GITHUB_TOKEN; update that
checkout step to include the key "persist-credentials: false" as an input under
the same step so downstream steps and third‑party actions do not receive the
token.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and read the relevant lines
if [ -f ".github/workflows/commitlint.yml" ]; then
  echo "=== File content with line numbers ===" 
  cat -n .github/workflows/commitlint.yml | head -30
else
  echo "File not found"
fi

Repository: Sentriscloud/sdk-rs

Length of output: 715

---

🏁 Script executed:

# Also check for any other checkout actions in workflow files to understand patterns
rg "persist-credentials" .github/workflows/ || echo "No persist-credentials found in workflows"

Repository: Sentriscloud/sdk-rs

Length of output: 105

---

Add persist-credentials: false to checkout config.

Lines 16–18 currently persist credentials by default; commitlint only performs static analysis of commit messages and does not require authenticated git operations.

Suggested patch

       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           fetch-depth: 0

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	fetch-depth: 0

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 16-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/commitlint.yml around lines 16 - 18, The checkout step is
currently leaving credentials in the workspace; update the checkout action
configuration (the block with "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" and the existing
"with: fetch-depth: 0") to add "persist-credentials: false" under the "with"
mapping so the action does not persist git credentials during the commitlint
job.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/dependency-review.yml

Repository: Sentriscloud/sdk-rs

Length of output: 1383

---

Turn off persisted credentials for checkout.

Line 22 should set persist-credentials: false to reduce token exposure in workflow steps/artifacts.

Suggested patch

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 22-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependency-review.yml at line 22, Update the checkout step
that uses actions/checkout (the line with "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd") to explicitly set
persist-credentials: false so the GITHUB_TOKEN is not persisted to subsequent
steps or artifacts; locate the checkout step in the workflow and add the
persist-credentials: false key under that step's configuration.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/link-check.yml

Repository: Sentriscloud/sdk-rs

Length of output: 1406

---

Harden checkout by disabling persisted credentials.

Lines 27–28 should set persist-credentials: false; the lychee link-scanning job does not use Git credentials after checkout.

Suggested patch

       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 27-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/link-check.yml around lines 27 - 28, The Checkout step in
the GitHub Actions workflow currently uses actions/checkout without disabling
persisted credentials; update the Checkout job step (the step named "Checkout"
that uses actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) to add
persist-credentials: false so credentials are not left in the runner after
checkout.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Check if file exists and read the relevant section
if [ -f ".github/workflows/rust.yml" ]; then
  echo "=== File exists ==="
  wc -l ".github/workflows/rust.yml"
  echo ""
  echo "=== Lines around line 17 ==="
  sed -n '10,25p' ".github/workflows/rust.yml"
else
  echo "File not found"
fi

Repository: Sentriscloud/sdk-rs

Length of output: 472

---

🌐 Web query:

GitHub Actions checkout action pinning commit SHA security best practice

💡 Result:

Best practice (secure pinning): Pin third-party GitHub Actions (including actions/checkout) to the full-length immutable commit SHA in the form uses: owner/repo@, instead of using a mutable tag like @v4 or @main. GitHub’s docs state that pinning to a full-length commit SHA is the only way to use an action as an immutable release, mitigating risk from a bad actor adding backdoors to the action repository; when selecting a SHA, verify it’s from the action’s repository (not a fork). Tag pinning is more convenient but still carries risk because tags can be moved or deleted if an attacker gains access to the action’s repository. [1] Why this matters: GitHub also added an organization/repository policy mechanism to require SHA pinning; workflows that attempt to use actions that aren’t pinned to a full commit SHA will fail. This is meant to proactively limit the impact of compromised third-party dependencies. [2] Implementation example for actions/checkout: - Prefer: uses: actions/checkout@ - Avoid: uses: actions/checkout@v4 (or @v5, @main, etc.) Operational guidance: - Ensure you pin every action reference you directly use; GitHub’s enforcement checks for a full commit SHA and will block unpinned uses. [1][2] - To update safely over time, update the SHA intentionally (e.g., via Dependabot/Renovate workflows that support GitHub Actions updates), rather than relying on mutable tags. GitHub’s secure use guidance notes tag use should only be used if you trust the creators, but commit SHA pinning is the stronger option. [1] Bottom line: For security hardening, “pin actions to full-length commit SHAs” is the current best practice, and GitHub provides policy enforcement so you can ensure this across workflows. [1][2]

Citations:

• 1: https://docs.github.com/en/actions/reference/security/secure-use
• 2: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/

---

🌐 Web query:

GitHub Actions persist-credentials false security recommendation

💡 Result:

The persist-credentials: false setting in the GitHub Actions actions/checkout action is a security best practice recommended to prevent the automatic persistence of Git credentials (such as the GITHUB_TOKEN) into the local Git configuration of the runner [1][2]. When persist-credentials is set to its default value of true, the action configures the local Git environment with the authentication token, allowing subsequent steps in the same job to perform authenticated Git operations (like git push or git fetch) without needing to explicitly handle the token [3][4]. However, this also means that any code running in subsequent steps—including third-party actions—can potentially access these credentials [5][2]. Security Recommendations: 1. Use persist-credentials: false by default: Unless your workflow specifically requires performing authenticated Git operations (e.g., pushing commits back to the repository), you should set persist-credentials: false [2]. This minimizes the attack surface by ensuring credentials are not unnecessarily exposed to the environment [2]. 2. Mitigate Credential Exposure: If you must use persist-credentials: true, ensure that you are using the principle of least privilege by restricting the permissions of the GITHUB_TOKEN [5]. 3. Recent Improvements: Note that recent versions of actions/checkout have improved security by storing credentials in a separate file under $RUNNER_TEMP rather than directly in.git/config [3][6]. While this reduces the risk of accidental leakage (e.g., through artifact uploads), explicitly setting persist-credentials: false remains the recommended practice for hardening workflows [7][2]. If you disable credential persistence but still need to perform authenticated Git operations later in your workflow, you will need to manually configure the credentials (e.g., using git remote set-url or by passing the token explicitly to the relevant Git commands) [8].

Citations:

• 1: Always emit persist-credentials: false with actions/checkout github/gh-aw#2641
• 2: https://cheatsheetseries.owasp.org/cheatsheets/GitHub_Actions_Security_Cheat_Sheet.html
• 3: https://github.com/actions/checkout/blob/main/README.md
• 4: https://github.com/actions/checkout
• 5: Remove persist-credentials or change the default to false actions/checkout#485
• 6: Persist creds to a separate file actions/checkout#2286
• 7: Fix credential persistence vulnerability in release.md github/gh-aw#5308
• 8: Reconfigure credentials when `persist-credentials: false` is set stefanzweifel/git-auto-commit-action#356

---

Pin checkout action to a commit SHA and disable credential persistence.

Line 17 uses mutable tag @v6 instead of a pinned commit SHA, and omits persist-credentials: false. Mutable tags create supply-chain risk; GitHub enforces SHA pinning through organization policies. Persisted credentials unnecessarily expose the token to subsequent steps.

Suggested patch

      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/rust.yml at line 17, Replace the mutable GitHub Action
reference "uses: actions/checkout@v6" with a pinned commit SHA for
actions/checkout and add the security option to disable token persistence by
setting "persist-credentials: false" in the checkout step; update the checkout
step (the line containing uses: actions/checkout@v6) to use the commit SHA for
the action and include the persist-credentials: false input so credentials
aren't exposed to later steps.