build(deps): bump actions/checkout from 4.3.1 to 6.0.2#35
build(deps): bump actions/checkout from 4.3.1 to 6.0.2#35dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v4.3.1...v6.0.2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
📝 WalkthroughWalkthroughThis PR updates the Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 7
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/cargo-deny.yml:
- Line 22: The checkout action currently uses
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd; update that checkout
step to include persist-credentials: false so the workflow does not retain Git
credentials for this read-only cargo-deny job. Locate the actions/checkout@...
step in the workflow and add the persist-credentials: false input to the step
configuration.
In @.github/workflows/ci.yml:
- Line 19: Replace the mutable actions/checkout tag with the pinned commit SHA
and disable credential persistence: for each occurrence of "uses:
actions/checkout@v6.0.2" (the three checkout steps in the workflow), change the
version to "de0fac2e4500dabe0009e67214ff5f5447ce83dd" and add
"persist-credentials: false" to the step inputs so credentials are not stored in
the git config.
In @.github/workflows/codeql.yml:
- Line 25: Replace the loose actions/checkout@v6.0.2 usage with a commit-SHA
pinned reference and add the checkout input to disable credential persistence;
specifically change the checkout step that currently references
"actions/checkout@v6.0.2" to use the repository commit SHA (pin to the exact
commit) and add a with block including "persist-credentials: false" (and
optionally keep fetch-depth as needed) so the CodeQL job uses an immutable
action source and does not expose the runner token.
In @.github/workflows/commitlint.yml:
- Around line 16-18: The checkout step using "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" should explicitly
disable persisted credentials; update the checkout action (the step that
currently sets "with: fetch-depth: 0") to include "persist-credentials: false"
under its "with:" mapping so commitlint runs without storing Git credentials.
In @.github/workflows/dependency-review.yml:
- Line 22: The checkout step currently uses actions/checkout (the line with
"uses: actions/checkout@de0fac2e..."); update that checkout step to add the
input "persist-credentials: false" so the workflow token is not stored in the
local git config—locate the checkout step (the step containing uses:
actions/checkout@...) and add the persist-credentials: false input under it.
In @.github/workflows/gitleaks.yml:
- Around line 32-34: Update the actions/checkout step so it uses an immutable
commit SHA instead of the floating tag and explicitly disables persisted
credentials; locate the checkout usage (the line with "uses:
actions/checkout@v6.0.2") and replace the tag with the repo commit SHA for that
release, and add the input "persist-credentials: false" alongside the existing
"fetch-depth: 0" setting to ensure credentials are not left in the runner.
In @.github/workflows/link-check.yml:
- Around line 27-28: The Checkout step currently uses
actions/checkout@de0fac2e... but does not set persist-credentials; update the
Checkout job step (the step named "Checkout" that uses actions/checkout) to add
persist-credentials: false under that step so credentials are not persisted to
the repo Git config for subsequent steps, e.g. add the key persist-credentials:
false at the same indentation as uses.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: d63358dd-8cc1-42d0-b710-cf05eb69ebd7
📒 Files selected for processing (7)
.github/workflows/cargo-deny.yml.github/workflows/ci.yml.github/workflows/codeql.yml.github/workflows/commitlint.yml.github/workflows/dependency-review.yml.github/workflows/gitleaks.yml.github/workflows/link-check.yml
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, let's read the cargo-deny.yml file to see the current state
cat -n .github/workflows/cargo-deny.ymlRepository: Sentriscloud/sentrix-explorer-v2
Length of output: 953
🌐 Web query:
GitHub Actions actions/checkout persist-credentials security best practice
💡 Result:
Best practice for actions/checkout persist-credentials (as of 2026-05-20): 1) Prefer not persisting credentials unless you truly need authenticated git push/write - actions/checkout persists the auth token in the local git config “to enable your scripts to run authenticated git commands” and you can disable it with persist-credentials: false to opt out [1]. - Security hardening guidance is to set persist-credentials: false for checkout steps that don’t need authenticated git operations (build/test/scan, etc.) [2]. 2) If you need git push/write, scope persistence to the smallest set of steps/jobs that require it - Persisting credentials is only needed when subsequent steps run authenticated git commands; the token is removed during post-job cleanup [1]. 3) Always apply least-privilege for GITHUB_TOKEN permissions (often the most important control) - GitHub lets you set workflow/job-level permissions for GITHUB_TOKEN, and any permission absent from the list is set to none [3]. - GitHub also states it generates a new token per job and expires it when the job completes [3]. Example hardening pattern - Read-only workflow step: uses: actions/checkout@v4 with: persist-credentials: false permissions: contents: read 4) Note on current implementation - As part of security improvements, persist-credentials now stores persisted credentials in a separate config file under $RUNNER_TEMP (instead of directly in.git/config), to isolate sensitive data [4]. Bottom line: set persist-credentials: false for checkout steps that don’t need authenticated git write operations; for workflows that still need writes, limit persistence to only those steps and combine it with restrictive GITHUB_TOKEN permissions.
Citations:
- 1: https://github.com/actions/checkout
- 2: https://yossarian.net/til/post/actions-checkout-can-leak-github-credentials/
- 3: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token
- 4: https://github.com/actions/checkout/blob/main/README.md
Set persist-credentials: false to avoid unnecessary credential persistence.
Line 22 should add persist-credentials: false since this job performs read-only operations (cargo-deny checks) and doesn't require authenticated git access. This follows GitHub's security hardening best practices to disable credential persistence for workflows that don't need authenticated git writes.
Suggested patch
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 22-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/cargo-deny.yml at line 22, The checkout action currently
uses actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd; update that
checkout step to include persist-credentials: false so the workflow does not
retain Git credentials for this read-only cargo-deny job. Locate the
actions/checkout@... step in the workflow and add the persist-credentials: false
input to the step configuration.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@v6.0.2 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/ci.yml | head -60Repository: Sentriscloud/sentrix-explorer-v2
Length of output: 2574
🌐 Web query:
actions/checkout v6.0.2 commit sha github releases
💡 Result:
For actions/checkout v6.0.2, the release commit SHA is de0fac2e4500dabe0009e67214ff5f5447ce83dd. This is shown as the first (and main) commit in the compare page v6.0.1...v6.0.2, where the commit list includes “de0fac2: Fix tag handling: preserve annotations and explicit fetch-tags” for the v6.0.2 release, and matches the digest-pinning shown publicly for v6.0.2. Cited evidence: - The actions/checkout compare page v6.0.0...v6.0.2 lists “de0fac2” as the commit corresponding to the v6.0.2 release (“Fix tag handling: preserve annotations and explicit fetch-tags”). [1] - A public guidance post pinning actions/checkout v6.0.2 shows the full SHA as de0fac2e4500dabe0009e67214ff5f5447ce83dd. [2] - The official release tag page for v6.0.2 is published 2026-01-09 and points to the v6.0.2 tag. [3] Answer: de0fac2e4500dabe0009e67214ff5f5447ce83dd [1][2][3]
Citations:
- 1: actions/checkout@v6.0.0...v6.0.2
- 2: https://www.jvt.me/posts/2026/04/24/github-actions-tagging/
- 3: https://github.com/actions/checkout/releases/tag/v6.0.2
🌐 Web query:
github actions checkout persist-credentials security best practice
💡 Result:
Best practice: set persist-credentials: false on every actions/checkout step unless you explicitly need authenticated git operations after checkout. Why: - GitHub’s own security guidance (OWASP cheat sheet) says actions/checkout should be used with persist-credentials: false unless needed, because this prevents Git credentials from being persisted, reducing exposure risk [1]. - The actions/checkout documentation states the auth token is persisted in the local git config and you can opt out by setting persist-credentials: false [2]. - There’s also tooling/security guidance focused on not leaking the token into a persisted .git/config (e.g., security validation logic that flags missing persist-credentials: false as “git token is stored in.git/config and exposed”) [3]. Example: uses: actions/checkout@v4 with: persist-credentials: false [2] Notes / practical guidance: - If your workflow needs authenticated git commands (e.g., git push, fetching private submodules with auth), you should scope credentials carefully and supply an explicit token/SSH setup rather than relying on persisted credentials by default (the key is to only persist when required) [1][2].
Citations:
- 1: https://cheatsheetseries.owasp.org/cheatsheets/GitHub_Actions_Security_Cheat_Sheet.html
- 2: https://github.com/actions/checkout
- 3: https://github.com/github/gh-aw/pull/17081/files
Pin checkout actions to commit SHA and disable credential persistence.
Lines 19, 29, and 49 use a mutable tag (@v6.0.2) instead of a commit SHA. Pin each to de0fac2e4500dabe0009e67214ff5f5447ce83dd and add persist-credentials: false to prevent Git credentials from being persisted in the git config, reducing exposure risk.
Suggested patch
- - uses: actions/checkout@v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: falseAlso applies to: 29-29, 49-49
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 19-19: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml at line 19, Replace the mutable actions/checkout
tag with the pinned commit SHA and disable credential persistence: for each
occurrence of "uses: actions/checkout@v6.0.2" (the three checkout steps in the
workflow), change the version to "de0fac2e4500dabe0009e67214ff5f5447ce83dd" and
add "persist-credentials: false" to the step inputs so credentials are not
stored in the git config.
| language: ['javascript-typescript'] | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@v6.0.2 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
fd -t f codeql.ymlRepository: Sentriscloud/sentrix-explorer-v2
Length of output: 58
🏁 Script executed:
# Check if the file exists and examine its content
if [ -f .github/workflows/codeql.yml ]; then
cat -n .github/workflows/codeql.yml
else
echo "File not found"
fiRepository: Sentriscloud/sentrix-explorer-v2
Length of output: 1030
🏁 Script executed:
# Also check what other workflows exist for consistency context
ls -la .github/workflows/ 2>/dev/null || echo "No workflows directory"Repository: Sentriscloud/sentrix-explorer-v2
Length of output: 629
🌐 Web query:
actions/checkout v6.0.2 release commit SHA github
💡 Result:
actions/checkout@v6.0.2 points to commit de0fac2e4500dabe0009e67214ff5f5447ce83dd. Evidence: the repository’s comparison page for v6.0.0...v6.0.2 lists “de0fac2: Fix tag handling: preserve annotations and explicit fetch-tags (#2356)” as the commit included in the v6.0.2 release line-up [1]. The changelog/release material for v6.0.2 mentions the same fix (#2356) [2] and the tag listing for v6.0.2 is consistent with that release [3].
Citations:
- 1: actions/checkout@v6.0.0...v6.0.2
- 2: https://github.com/actions/checkout/releases
- 3: https://github.com/actions/checkout/tags
🏁 Script executed:
# Check other workflow files to see if they use checkout and how
grep -r "actions/checkout" .github/workflows/Repository: Sentriscloud/sentrix-explorer-v2
Length of output: 865
🌐 Web query:
GitHub Actions persist-credentials false security best practice checkout
💡 Result:
Best practice: set persist-credentials: false on actions/checkout unless the workflow step needs to run authenticated git operations that require a credential to be stored (e.g., pushing back to the repo). This reduces the risk that the checkout token/credentials remain available to later steps in the job. Evidence from official/authoritative sources: - actions/checkout persists an auth token into the local git configuration to enable authenticated git commands, and you can opt out with persist-credentials: false. [1] - OWASP’s GitHub Actions Security Cheat Sheet explicitly recommends using actions/checkout with persist-credentials: false unless needed for git operations, to prevent Git credentials from being persisted and to reduce credential exposure risk. [2] - The actions/checkout project documents that when persist-credentials is enabled, the token is stored locally, enabling git push/fetch/etc., and removed during post-job cleanup; disabling it opts out of persistence. [1] Practical guidance (what to do): - For “read-only” workflows (build, test, lint, scan) that don’t need to push commits/tags from within the workflow, use: uses: actions/checkout@v5 with: persist-credentials: false - For workflows that must push (e.g., automated version bumps, release commits, git push), keep persist-credentials enabled (or otherwise ensure you authenticate for the push), because disabling it will prevent authenticated git commands that rely on the persisted credential. [1][2] Why this matters: - Persisting credentials increases the chance that other steps or compromised dependencies/scripts can access them from the git config on disk, which expands the blast radius inside a workflow. This security concern is discussed by the actions/checkout maintainers/community and is one of the reasons persist-credentials exists and is recommended for hardening. [3][2]
Citations:
- 1: https://github.com/actions/checkout/blob/main/README.md
- 2: https://cheatsheetseries.owasp.org/cheatsheets/GitHub_Actions_Security_Cheat_Sheet.html
- 3: Remove
persist-credentialsor change the default tofalseactions/checkout#485
🏁 Script executed:
# Check if any workflow currently uses persist-credentials
grep -r "persist-credentials" .github/workflows/Repository: Sentriscloud/sentrix-explorer-v2
Length of output: 58
Harden checkout reference and token handling in CodeQL job.
Line 25 should be commit-SHA pinned and include persist-credentials: false to align with immutable action sourcing and reduced token exposure. This aligns with hardening already applied to other workflows in the repository (cargo-deny.yml, commitlint.yml, dependency-review.yml, link-check.yml).
Suggested patch
- - uses: actions/checkout@v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v6.0.2 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 25-25: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 25-25: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/codeql.yml at line 25, Replace the loose
actions/checkout@v6.0.2 usage with a commit-SHA pinned reference and add the
checkout input to disable credential persistence; specifically change the
checkout step that currently references "actions/checkout@v6.0.2" to use the
repository commit SHA (pin to the exact commit) and add a with block including
"persist-credentials: false" (and optionally keep fetch-depth as needed) so the
CodeQL job uses an immutable action source and does not expose the runner token.
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, locate and read the commitlint.yml file
fd -e yml -e yaml | grep -i commitlintRepository: Sentriscloud/sentrix-explorer-v2
Length of output: 58
🏁 Script executed:
# Read the commitlint workflow file
cat .github/workflows/commitlint.ymlRepository: Sentriscloud/sentrix-explorer-v2
Length of output: 535
🌐 Web query:
GitHub Actions actions/checkout persist-credentials security best practices
💡 Result:
Best practice: in most workflows, set actions/checkout with persist-credentials: false unless you specifically need authenticated git operations that require the persisted credential. This reduces the chance that any later compromised step can read a token from git configuration. How persist-credentials works (and what to watch) 1) Persisting credentials means the token (GITHUB_TOKEN or a provided token/SSH key) is stored so subsequent commands can use it. actions/checkout documents that the auth token is persisted in local git config and removed during post-job cleanup, and you can opt out via persist-credentials: false [1][2]. 2) GitHub security guidance (via OWASP) explicitly recommends using actions/checkout with persist-credentials: false to reduce credential exposure if the workflow is compromised [3]. Recommended hardening pattern - Always pin to a modern major version (e.g., v4) of actions/checkout and disable credential persistence unless needed: uses: actions/checkout@v4 with: persist-credentials: false This mitigation is described by the OWASP guidance and common security checklists for GitHub Actions [3][4]. When you might keep persist-credentials enabled - If your job genuinely needs authenticated git operations via the checked-out repo’s configured credential (e.g., pushing commits/tags or other git write operations performed later in the same job), persist-credentials can be required because it “enables your scripts to run authenticated git commands” [1][2]. In that case, compensate with least-privilege workflow permissions for the token [5][6] and other GitHub Actions hardening. Bottom line - Default to persist-credentials: false for defense in depth [3]. - Turn it on only when you have a concrete need for authenticated git commands from later steps, and in that case apply least-privilege permissions for GITHUB_TOKEN [5][6].
Citations:
- 1: https://github.com/actions/checkout
- 2: https://github.com/marketplace/actions/checkout
- 3: https://cheatsheetseries.owasp.org/cheatsheets/GitHub_Actions_Security_Cheat_Sheet.html
- 4: https://yossarian.net/til/post/actions-checkout-can-leak-github-credentials/
- 5: Remove
persist-credentialsor change the default tofalseactions/checkout#485 - 6: Remove
persist-credentialsor change the default tofalseactions/checkout#485
Add persist-credentials: false to checkout.
Lines 16–18 should explicitly disable persisted checkout credentials; commitlint performs only validation without requiring any authenticated git operations.
- Minimizes credential exposure if the workflow is compromised
- Recommended by OWASP GitHub Actions Security Cheat Sheet as a defense-in-depth measure
Suggested patch
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 16-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/commitlint.yml around lines 16 - 18, The checkout step
using "uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" should
explicitly disable persisted credentials; update the checkout action (the step
that currently sets "with: fetch-depth: 0") to include "persist-credentials:
false" under its "with:" mapping so commitlint runs without storing Git
credentials.
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cd .github/workflows && ls -la dependency-review.yml && wc -l dependency-review.ymlRepository: Sentriscloud/sentrix-explorer-v2
Length of output: 172
🏁 Script executed:
cat -n .github/workflows/dependency-review.ymlRepository: Sentriscloud/sentrix-explorer-v2
Length of output: 1396
🌐 Web query:
actions/checkout v6 persist-credentials false GitHub Actions security
💡 Result:
actions/checkout@v6 with with: persist-credentials: false opts out of persisting the workflow auth token/SSH key into the checked-out repository’s local git configuration, which helps reduce the chance that later steps can access those credentials from disk. Evidence (from actions/checkout and its action metadata): - The action documentation explains that “The auth token is persisted in the local git config… The token is removed during post-job cleanup. Set persist-credentials: false to opt-out.” [1] - The action metadata describes persist-credentials as “Whether to configure the token or SSH key with the local git config” with default true. [2] - Community/security discussion notes the practical risk: if persist-credentials isn’t disabled, workflows can make it easier for later code to read the stored token from the checkout’s git config (e.g., after checkout). [3][4] Recommended use (security hardening): - If you don’t need authenticated git operations (push, fetching with auth, etc.), set: - uses: actions/checkout@v6 with: persist-credentials: false - Also follow least-privilege for the workflow token (GITHUB_TOKEN permissions) because persist-credentials: false only addresses whether the credential is written into local git config; it doesn’t reduce the intrinsic risk of over-scoped tokens. [3][5] Sources: - [1] https://github.com/actions/checkout/blob/main/README.md - [2] https://github.com/actions/checkout/blob/master/action.yml - [3] actions/checkout#485 - [4] https://yossarian.net/til/post/actions-checkout-can-leak-github-credentials/
Citations:
- 1: https://github.com/actions/checkout/tree/v6.0.0
- 2: https://github.com/actions/checkout/blob/master/action.yml
- 3: Remove
persist-credentialsor change the default tofalseactions/checkout#485 - 4: https://yossarian.net/til/post/actions-checkout-can-leak-github-credentials/
- 5: Remove
persist-credentialsor change the default tofalseactions/checkout#485
🌐 Web query:
github actions checkout action persist-credentials parameter documentation
💡 Result:
The GitHub Actions checkout action’s input documentation for persist-credentials is: 1) Input name and meaning - Parameter: persist-credentials - Description: “Whether to configure the token or SSH key with the local git config” [1]. 2) Default value - The action.yml defines default: true for persist-credentials [1]. 3) What “persist-credentials: true/false” does - With the default behavior (token/credentials configured locally), the auth token is persisted in the local git config so scripts can run authenticated git commands; the token is removed during post-job cleanup [2][3]. - You can opt out by setting persist-credentials: false [2][3]. 4) Security/implementation note (how it is persisted) - The checkout README notes an improvement to credential security: persist-credentials now stores credentials in a separate file under $RUNNER_TEMP instead of directly in.git/config [2][4]. Example usage uses: actions/checkout@v4 with: persist-credentials: false Source: actions/checkout README and action.yml input definition [2][1].
Citations:
- 1: https://github.com/actions/checkout/blob/master/action.yml
- 2: https://github.com/actions/checkout/blob/main/README.md
- 3: https://github.com/actions/checkout/blob/releases/v2/README.md
- 4: https://github.com/actions/checkout
Disable credential persistence in checkout action for improved security.
Line 22 should set persist-credentials: false to prevent the workflow token from being persisted in the local git configuration, reducing the risk of credential leakage through subsequent steps.
Suggested patch
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 22-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/dependency-review.yml at line 22, The checkout step
currently uses actions/checkout (the line with "uses:
actions/checkout@de0fac2e..."); update that checkout step to add the input
"persist-credentials: false" so the workflow token is not stored in the local
git config—locate the checkout step (the step containing uses:
actions/checkout@...) and add the persist-credentials: false input under it.
| - uses: actions/checkout@v6.0.2 | ||
| with: | ||
| fetch-depth: 0 # full history so commit-range scan covers the whole tree |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
find . -type f -name "gitleaks.yml" | head -5Repository: Sentriscloud/sentrix-explorer-v2
Length of output: 109
🏁 Script executed:
cat -n .github/workflows/gitleaks.ymlRepository: Sentriscloud/sentrix-explorer-v2
Length of output: 2080
🌐 Web query:
actions/checkout v6.0.2 commit SHA GitHub
💡 Result:
I couldn’t find a source that explicitly states the commit SHA that the Git tag v6.0.2 points to. What I did find: - The official repository page shows that v6.0.2 is the latest release (released 2026-01-09) [1]. - The official changelog and release comparison pages exist for v6.0.2 and reference the version, but the excerpts available to me don’t include the tag-to-commit SHA mapping [2][3]. - The compare page (v6.0.0...v6.0.2) lists the commits that were added between those tags, but again it does not directly label which commit corresponds to the v6.0.2 tag itself in the snippet I can access [3]. If you want, I can do one more targeted search specifically for the v6.0.2 tag object/commit (e.g., the URL pattern /releases/tag/v6.0.2 or /tree/v6.0.2?tab=readme) to extract the exact SHA from GitHub’s page HTML/metadata.
Citations:
- 1: https://github.com/actions/checkout
- 2: https://github.com/actions/checkout/blob/v6.0.2/CHANGELOG.md
- 3: actions/checkout@v6.0.0...v6.0.2
🏁 Script executed:
# Try to find the exact commit SHA for v6.0.2 of actions/checkout
python3 << 'EOF'
import json
import subprocess
# Use git ls-remote to find the commit SHA for the v6.0.2 tag
# This works for any public GitHub repo
result = subprocess.run(
['git', 'ls-remote', '--tags', 'https://github.com/actions/checkout', 'v6.0.2'],
capture_output=True,
text=True
)
print("git ls-remote output:")
print(result.stdout)
print(result.stderr)
EOFRepository: Sentriscloud/sentrix-explorer-v2
Length of output: 158
🌐 Web query:
GitHub Actions checkout action persist-credentials security recommendation
💡 Result:
Recommended security setting: set persist-credentials: false on actions/checkout unless you specifically need authenticated git operations afterward. Rationale (what “persist-credentials” does and why it matters): 1) By default, actions/checkout persists the auth token it used for checkout into the local git configuration (historically .git/config). The action documentation states that “The auth token is persisted in the local git config… [and] removed during post-job cleanup,” and you can opt out with persist-credentials: false.[1] 2) Persisting credentials locally increases the chance that subsequent steps (or artifacts) may unintentionally expose them. Discussions in the actions/checkout community highlight that persisting credentials can “expose” credentials to other code that runs later in the workflow.[2][3] 3) Even if code in other steps can access GITHUB_TOKEN via other mechanisms, the safer practice is still to reduce what’s written to disk. The actions/checkout docs explicitly frame persist-credentials as an opt-in mechanism for persisting the token for scripts that need authenticated git commands.[1] Practical guidance: - Hardening default: use - uses: actions/checkout@v4 - with: persist-credentials: false This is the commonly recommended mitigation to avoid persisting credentials into git config.[1] - Set persist-credentials: true only if a later step in the same job must run git operations that require authentication (e.g., git push), and document that need. Example: - uses: actions/checkout@v4 with: persist-credentials: false Notes/edge cases: - Some tooling may require the credentials to remain after checkout; if you disable persistence, you may need to reconfigure the remote URL/token explicitly before such steps (as discussed by downstream action maintainers).[4] Grounding: The core recommendation follows directly from the official actions/checkout documentation describing persistence behavior and the persist-credentials: false opt-out.[1] Community security discussions also call out the increased risk of persisting credentials to disk.[2][3]
Citations:
- 1: https://github.com/actions/checkout
- 2: Remove
persist-credentialsor change the default tofalseactions/checkout#485 - 3: Remove
persist-credentialsor change the default tofalseactions/checkout#485 - 4: Reconfigure credentials when `persist-credentials: false` is set stefanzweifel/git-auto-commit-action#356
🌐 Web query:
actions/checkout v6.0.2 release commit SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd
💡 Result:
The release tag v6.0.2 of actions/checkout points to commit SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd, and this commit corresponds to the change “Fix tag handling: preserve annotations and explicit fetch-tags (#2356)”. [1][2][3] Supporting details: - The repository’s v6.0.2 changelog lists the #2356 fix under v6.0.2. [1] - The compare page shows that commit de0fac2 is included in the v6.0.0...v6.0.2 range with the same description. [3] - The commit summary in the main changelog/commit history indicates de0fac2 is authored on 2026-01-09 with that #2356 change. [4]
Citations:
- 1: https://github.com/actions/checkout/blob/v6.0.2/CHANGELOG.md
- 2: https://github.com/actions/checkout/tags
- 3: actions/checkout@11bd719...de0fac2
- 4: https://github.com/actions/checkout/commits/main/
Use immutable checkout pin and turn off persisted credentials.
Lines 32–34 should pin actions/checkout by commit SHA and set persist-credentials: false; this is especially important in a security workflow.
Suggested patch
- - uses: actions/checkout@v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0 # full history so commit-range scan covers the whole tree
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v6.0.2 | |
| with: | |
| fetch-depth: 0 # full history so commit-range scan covers the whole tree | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 # full history so commit-range scan covers the whole tree | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 32-34: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 32-32: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/gitleaks.yml around lines 32 - 34, Update the
actions/checkout step so it uses an immutable commit SHA instead of the floating
tag and explicitly disables persisted credentials; locate the checkout usage
(the line with "uses: actions/checkout@v6.0.2") and replace the tag with the
repo commit SHA for that release, and add the input "persist-credentials: false"
alongside the existing "fetch-depth: 0" setting to ensure credentials are not
left in the runner.
| - name: Checkout | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/link-check.ymlRepository: Sentriscloud/sentrix-explorer-v2
Length of output: 1419
🌐 Web query:
GitHub Actions checkout persist-credentials false security best practice
💡 Result:
Best practice for GitHub Actions: set actions/checkout with persist-credentials: false to avoid persisting the authentication token in the checked-out repository’s Git configuration, limiting how long and where credentials exist during the workflow run.[1][2] Recommended hardening pattern (example) uses: actions/checkout@v4 with: persist-credentials: false Why this matters 1) By default, actions/checkout persists the token in local Git config so follow-on git commands can run authenticated; it also notes you can opt out with persist-credentials: false.[1] 2) GitHub’s security footgun discussion and related reports describe that opting out prevents credentials from being left on disk/in Git config after checkout, which reduces exposure to later steps in the job.[3][4] Important nuance - persist-credentials: false addresses persistence of the token in the local Git configuration, but it does not remove the fact that GITHUB_TOKEN is available to steps within the job (authorization boundaries should still be handled via least-privilege workflow/job permissions).[5] If you need additional safeguards - Combine persist-credentials: false with least-privilege permissions for GITHUB_TOKEN (e.g., avoid write access unless needed), as suggested in the same hardening discussion context.[5]
Citations:
- 1: https://github.com/actions/checkout
- 2: https://github.com/actions/checkout/blob/main/README.md
- 3: Remove
persist-credentialsor change the default tofalseactions/checkout#485 - 4: https://yossarian.net/til/post/actions-checkout-can-leak-github-credentials/
- 5: Remove
persist-credentialsor change the default tofalseactions/checkout#485
Consider adding persist-credentials: false to harden the checkout step.
Line 28 should include persist-credentials: false to follow GitHub's hardening best practices and prevent credential persistence in the Git config for subsequent steps.
Suggested patch
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 27-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/link-check.yml around lines 27 - 28, The Checkout step
currently uses actions/checkout@de0fac2e... but does not set
persist-credentials; update the Checkout job step (the step named "Checkout"
that uses actions/checkout) to add persist-credentials: false under that step so
credentials are not persisted to the repo Git config for subsequent steps, e.g.
add the key persist-credentials: false at the same indentation as uses.
Bumps actions/checkout from 4.3.1 to 6.0.2.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit