chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 in the dependencies group#416
chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 in the dependencies group#416dependabot[bot] wants to merge 1 commit into
Conversation
Bumps the dependencies group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v6.0.2...v6.0.3) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
Kusari Analysis Results:Caution Flagged Issues Detected The dependency analysis found no concerns. However, the code analysis identified three high-severity supply chain risk issues across ci.yml (lines 15 and 36) and release.yml (line 32). In all three cases, actions/checkout is pinned to a mutable version tag (v6.0.3) rather than an immutable commit SHA. Version tags can be silently redirected by an upstream maintainer or a compromised account to point to malicious code, meaning any workflow run could execute arbitrary code in your CI/CD pipeline without any visible change to your configuration. This is particularly notable because other actions in the same workflows (actions/setup-go, cue-lang/setup-cue) are correctly pinned to commit SHAs, indicating awareness of this security practice — making the unpinned checkouts a clear and addressable gap. We strongly recommend replacing the three occurrences of uses: actions/checkout@v6.0.3 with the corresponding immutable commit SHA before merging. Note View full detailed analysis result for more information on the output and the checks that were run. Required Code Mitigationsactions/checkout is pinned to a version tag (v6.0.3) rather than an immutable commit SHA. Version tags can be moved by the upstream maintainer, exposing this workflow to supply chain attacks. Pin this action to a specific commit SHA instead.
actions/checkout is pinned to a version tag (v6.0.3) rather than an immutable commit SHA. Version tags can be moved by the upstream maintainer, exposing this workflow to supply chain attacks. Pin this action to a specific commit SHA instead.
actions/checkout is pinned to a version tag (v6.0.3) rather than an immutable commit SHA. Version tags can be moved by the upstream maintainer, exposing this workflow to supply chain attacks. Pin this action to a specific commit SHA instead.
Found this helpful? Give it a 👍 or 👎 reaction! |
|
|
||
| steps: | ||
| - uses: actions/checkout@v6.0.2 | ||
| - uses: actions/checkout@v6.0.3 |
There was a problem hiding this comment.
actions/checkout is pinned to a version tag (v6.0.3) rather than an immutable commit SHA. Version tags can be moved by the upstream maintainer, exposing this workflow to supply chain attacks. Pin this action to a specific commit SHA instead.
|
|
||
| steps: | ||
| - uses: actions/checkout@v6.0.2 | ||
| - uses: actions/checkout@v6.0.3 |
There was a problem hiding this comment.
actions/checkout is pinned to a version tag (v6.0.3) rather than an immutable commit SHA. Version tags can be moved by the upstream maintainer, exposing this workflow to supply chain attacks. Pin this action to a specific commit SHA instead.
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6.0.2 | ||
| uses: actions/checkout@v6.0.3 |
There was a problem hiding this comment.
actions/checkout is pinned to a version tag (v6.0.3) rather than an immutable commit SHA. Version tags can be moved by the upstream maintainer, exposing this workflow to supply chain attacks. Pin this action to a specific commit SHA instead.
|
|
||
| steps: | ||
| - uses: actions/checkout@v6.0.2 | ||
| - uses: actions/checkout@v6.0.3 |
There was a problem hiding this comment.
| - uses: actions/checkout@v6.0.3 | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
|
|
||
| steps: | ||
| - uses: actions/checkout@v6.0.2 | ||
| - uses: actions/checkout@v6.0.3 |
There was a problem hiding this comment.
| - uses: actions/checkout@v6.0.3 | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6.0.2 | ||
| uses: actions/checkout@v6.0.3 |
There was a problem hiding this comment.
| uses: actions/checkout@v6.0.3 | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
|
Looks like actions/checkout is no longer updatable, so this is no longer needed. |
Bumps the dependencies group with 1 update: actions/checkout.
Updates
actions/checkoutfrom 6.0.2 to 6.0.3Release notes
Sourced from actions/checkout's releases.
Commits
df4cb1cUpdate changelog for v6.0.3 (#2446)1cce339Fix checkout init for SHA-256 repositories (#2439)900f221fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)0c366fdUpdate changelog (#2357)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions