build(deps): bump actions/checkout from 4.3.1 to 6.0.2 #35
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -16,7 +16,7 @@ jobs: | |
| name: fmt | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6.0.2 | ||
|
There was a problem hiding this comment. 🧩 Analysis chain🏁 Script executed: cat -n .github/workflows/ci.yml | head -60Repository: Sentriscloud/sentrix-explorer-v2 Length of output: 2574 🌐 Web query:
💡 Result: For actions/checkout v6.0.2, the release commit SHA is de0fac2e4500dabe0009e67214ff5f5447ce83dd. This is shown as the first (and main) commit in the compare page v6.0.1...v6.0.2, where the commit list includes “de0fac2: Fix tag handling: preserve annotations and explicit fetch-tags” for the v6.0.2 release, and matches the digest-pinning shown publicly for v6.0.2. Cited evidence: - The actions/checkout compare page v6.0.0...v6.0.2 lists “de0fac2” as the commit corresponding to the v6.0.2 release (“Fix tag handling: preserve annotations and explicit fetch-tags”). [1] - A public guidance post pinning actions/checkout v6.0.2 shows the full SHA as de0fac2e4500dabe0009e67214ff5f5447ce83dd. [2] - The official release tag page for v6.0.2 is published 2026-01-09 and points to the v6.0.2 tag. [3] Answer: de0fac2e4500dabe0009e67214ff5f5447ce83dd [1][2][3] Citations:
🌐 Web query:
💡 Result: Best practice: set Citations:
Pin checkout actions to commit SHA and disable credential persistence. Lines 19, 29, and 49 use a mutable tag ( Suggested patch- - uses: actions/checkout@v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: falseAlso applies to: 29-29, 49-49 🧰 Tools🪛 zizmor (1.25.2)[warning] 19-19: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
| - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable | ||
| with: | ||
| components: rustfmt | ||
|
|
@@ -26,7 +26,7 @@ jobs: | |
| name: clippy | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6.0.2 | ||
| - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable | ||
| with: | ||
| components: clippy | ||
|
|
@@ -46,7 +46,7 @@ jobs: | |
| name: leptos build | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6.0.2 | ||
| - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable | ||
| with: | ||
| targets: wasm32-unknown-unknown | ||
|
|
||
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -22,7 +22,7 @@ jobs: | |||||||||
| matrix: | ||||||||||
| language: ['javascript-typescript'] | ||||||||||
| steps: | ||||||||||
| - uses: actions/checkout@v6.0.2 | ||||||||||
|
There was a problem hiding this comment. 🧩 Analysis chain🏁 Script executed: fd -t f codeql.ymlRepository: Sentriscloud/sentrix-explorer-v2 Length of output: 58 🏁 Script executed: # Check if the file exists and examine its content
if [ -f .github/workflows/codeql.yml ]; then
cat -n .github/workflows/codeql.yml
else
echo "File not found"
fiRepository: Sentriscloud/sentrix-explorer-v2 Length of output: 1030 🏁 Script executed: # Also check what other workflows exist for consistency context
ls -la .github/workflows/ 2>/dev/null || echo "No workflows directory"Repository: Sentriscloud/sentrix-explorer-v2 Length of output: 629 🌐 Web query:
💡 Result: actions/checkout@v6.0.2 points to commit de0fac2e4500dabe0009e67214ff5f5447ce83dd. Evidence: the repository’s comparison page for v6.0.0...v6.0.2 lists “de0fac2: Fix tag handling: preserve annotations and explicit fetch-tags ( Citations:
🏁 Script executed: # Check other workflow files to see if they use checkout and how
grep -r "actions/checkout" .github/workflows/Repository: Sentriscloud/sentrix-explorer-v2 Length of output: 865 🌐 Web query:
💡 Result: Best practice: set persist-credentials: false on actions/checkout unless the workflow step needs to run authenticated git operations that require a credential to be stored (e.g., pushing back to the repo). This reduces the risk that the checkout token/credentials remain available to later steps in the job. Evidence from official/authoritative sources: - actions/checkout persists an auth token into the local git configuration to enable authenticated git commands, and you can opt out with persist-credentials: false. [1] - OWASP’s GitHub Actions Security Cheat Sheet explicitly recommends using actions/checkout with persist-credentials: false unless needed for git operations, to prevent Git credentials from being persisted and to reduce credential exposure risk. [2] - The actions/checkout project documents that when persist-credentials is enabled, the token is stored locally, enabling git push/fetch/etc., and removed during post-job cleanup; disabling it opts out of persistence. [1] Practical guidance (what to do): - For “read-only” workflows (build, test, lint, scan) that don’t need to push commits/tags from within the workflow, use: uses: actions/checkout@v5 with: persist-credentials: false - For workflows that must push (e.g., automated version bumps, release commits, git push), keep persist-credentials enabled (or otherwise ensure you authenticate for the push), because disabling it will prevent authenticated git commands that rely on the persisted credential. [1][2] Why this matters: - Persisting credentials increases the chance that other steps or compromised dependencies/scripts can access them from the git config on disk, which expands the blast radius inside a workflow. This security concern is discussed by the actions/checkout maintainers/community and is one of the reasons persist-credentials exists and is recommended for hardening. [3][2] Citations:
🏁 Script executed: # Check if any workflow currently uses persist-credentials
grep -r "persist-credentials" .github/workflows/Repository: Sentriscloud/sentrix-explorer-v2 Length of output: 58 Harden checkout reference and token handling in CodeQL job. Line 25 should be commit-SHA pinned and include Suggested patch- - uses: actions/checkout@v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.25.2)[warning] 25-25: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 25-25: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||||||||||
| - uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 | ||||||||||
| with: | ||||||||||
| languages: ${{ matrix.language }} | ||||||||||
|
|
||||||||||
| Original file line number | Diff line number | Diff line change | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -13,7 +13,7 @@ jobs: | |||||||||||||||
| name: commitlint | ||||||||||||||||
| runs-on: ubuntu-22.04 | ||||||||||||||||
| steps: | ||||||||||||||||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||||||||||||||||
| with: | ||||||||||||||||
| fetch-depth: 0 | ||||||||||||||||
|
Comment on lines
+16
to
18
There was a problem hiding this comment. 🧩 Analysis chain🏁 Script executed: # First, locate and read the commitlint.yml file
fd -e yml -e yaml | grep -i commitlintRepository: Sentriscloud/sentrix-explorer-v2 Length of output: 58 🏁 Script executed: # Read the commitlint workflow file
cat .github/workflows/commitlint.ymlRepository: Sentriscloud/sentrix-explorer-v2 Length of output: 535 🌐 Web query:
💡 Result: Best practice: in most workflows, set actions/checkout with persist-credentials: false unless you specifically need authenticated git operations that require the persisted credential. This reduces the chance that any later compromised step can read a token from git configuration. How persist-credentials works (and what to watch) 1) Persisting credentials means the token (GITHUB_TOKEN or a provided token/SSH key) is stored so subsequent commands can use it. actions/checkout documents that the auth token is persisted in local git config and removed during post-job cleanup, and you can opt out via persist-credentials: false [1][2]. 2) GitHub security guidance (via OWASP) explicitly recommends using actions/checkout with persist-credentials: false to reduce credential exposure if the workflow is compromised [3]. Recommended hardening pattern - Always pin to a modern major version (e.g., v4) of actions/checkout and disable credential persistence unless needed: uses: actions/checkout@v4 with: persist-credentials: false This mitigation is described by the OWASP guidance and common security checklists for GitHub Actions [3][4]. When you might keep persist-credentials enabled - If your job genuinely needs authenticated git operations via the checked-out repo’s configured credential (e.g., pushing commits/tags or other git write operations performed later in the same job), persist-credentials can be required because it “enables your scripts to run authenticated git commands” [1][2]. In that case, compensate with least-privilege workflow permissions for the token [5][6] and other GitHub Actions hardening. Bottom line - Default to persist-credentials: false for defense in depth [3]. - Turn it on only when you have a concrete need for authenticated git commands from later steps, and in that case apply least-privilege permissions for GITHUB_TOKEN [5][6]. Citations:
Add Lines 16–18 should explicitly disable persisted checkout credentials; commitlint performs only validation without requiring any authenticated git operations.
Suggested patch - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
+ persist-credentials: false📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.25.2)[warning] 16-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) 🤖 Prompt for AI Agents |
||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -19,7 +19,7 @@ jobs: | |||||||||
| name: Dependency review | ||||||||||
| runs-on: ubuntu-22.04 | ||||||||||
| steps: | ||||||||||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||||||||||
|
There was a problem hiding this comment. 🧩 Analysis chain🏁 Script executed: cd .github/workflows && ls -la dependency-review.yml && wc -l dependency-review.ymlRepository: Sentriscloud/sentrix-explorer-v2 Length of output: 172 🏁 Script executed: cat -n .github/workflows/dependency-review.ymlRepository: Sentriscloud/sentrix-explorer-v2 Length of output: 1396 🌐 Web query:
💡 Result: actions/checkout@v6 with with: persist-credentials: false opts out of persisting the workflow auth token/SSH key into the checked-out repository’s local git configuration, which helps reduce the chance that later steps can access those credentials from disk. Evidence (from actions/checkout and its action metadata): - The action documentation explains that “The auth token is persisted in the local git config… The token is removed during post-job cleanup. Set persist-credentials: false to opt-out.” [1] - The action metadata describes persist-credentials as “Whether to configure the token or SSH key with the local git config” with default true. [2] - Community/security discussion notes the practical risk: if persist-credentials isn’t disabled, workflows can make it easier for later code to read the stored token from the checkout’s git config (e.g., after checkout). [3][4] Recommended use (security hardening): - If you don’t need authenticated git operations (push, fetching with auth, etc.), set: - uses: actions/checkout@v6 with: persist-credentials: false - Also follow least-privilege for the workflow token (GITHUB_TOKEN permissions) because persist-credentials: false only addresses whether the credential is written into local git config; it doesn’t reduce the intrinsic risk of over-scoped tokens. [3][5] Sources: - [1] https://github.com/actions/checkout/blob/main/README.md - [2] https://github.com/actions/checkout/blob/master/action.yml - [3] actions/checkout#485 - [4] https://yossarian.net/til/post/actions-checkout-can-leak-github-credentials/ Citations:
🌐 Web query:
💡 Result: The GitHub Actions checkout action’s input documentation for persist-credentials is: 1) Input name and meaning - Parameter: persist-credentials - Description: “Whether to configure the token or SSH key with the local git config” [1]. 2) Default value - The action.yml defines default: true for persist-credentials [1]. 3) What “persist-credentials: true/false” does - With the default behavior (token/credentials configured locally), the auth token is persisted in the local git config so scripts can run authenticated git commands; the token is removed during post-job cleanup [2][3]. - You can opt out by setting persist-credentials: false [2][3]. 4) Security/implementation note (how it is persisted) - The checkout README notes an improvement to credential security: persist-credentials now stores credentials in a separate file under $RUNNER_TEMP instead of directly in.git/config [2][4]. Example usage uses: actions/checkout@v4 with: persist-credentials: false Source: actions/checkout README and action.yml input definition [2][1]. Citations:
Disable credential persistence in checkout action for improved security. Line 22 should set Suggested patch- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.25.2)[warning] 22-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) 🤖 Prompt for AI Agents |
||||||||||
|
|
||||||||||
| - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 | ||||||||||
| with: | ||||||||||
|
|
||||||||||
| Original file line number | Diff line number | Diff line change | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -29,7 +29,7 @@ jobs: | |||||||||||||||
| name: gitleaks (secret scan) | ||||||||||||||||
| runs-on: ubuntu-22.04 | ||||||||||||||||
| steps: | ||||||||||||||||
| - uses: actions/checkout@v6.0.2 | ||||||||||||||||
| with: | ||||||||||||||||
| fetch-depth: 0 # full history so commit-range scan covers the whole tree | ||||||||||||||||
|
Comment on lines
+32
to
34
There was a problem hiding this comment. 🧩 Analysis chain🏁 Script executed: find . -type f -name "gitleaks.yml" | head -5Repository: Sentriscloud/sentrix-explorer-v2 Length of output: 109 🏁 Script executed: cat -n .github/workflows/gitleaks.ymlRepository: Sentriscloud/sentrix-explorer-v2 Length of output: 2080 🌐 Web query:
💡 Result: I couldn’t find a source that explicitly states the commit SHA that the Git tag v6.0.2 points to. What I did find: - The official repository page shows that v6.0.2 is the latest release (released 2026-01-09) [1]. - The official changelog and release comparison pages exist for v6.0.2 and reference the version, but the excerpts available to me don’t include the tag-to-commit SHA mapping [2][3]. - The compare page (v6.0.0...v6.0.2) lists the commits that were added between those tags, but again it does not directly label which commit corresponds to the v6.0.2 tag itself in the snippet I can access [3]. If you want, I can do one more targeted search specifically for the v6.0.2 tag object/commit (e.g., the URL pattern /releases/tag/v6.0.2 or /tree/v6.0.2?tab=readme) to extract the exact SHA from GitHub’s page HTML/metadata. Citations:
🏁 Script executed: # Try to find the exact commit SHA for v6.0.2 of actions/checkout
python3 << 'EOF'
import json
import subprocess
# Use git ls-remote to find the commit SHA for the v6.0.2 tag
# This works for any public GitHub repo
result = subprocess.run(
['git', 'ls-remote', '--tags', 'https://github.com/actions/checkout', 'v6.0.2'],
capture_output=True,
text=True
)
print("git ls-remote output:")
print(result.stdout)
print(result.stderr)
EOFRepository: Sentriscloud/sentrix-explorer-v2 Length of output: 158 🌐 Web query:
💡 Result: Recommended security setting: set Citations:
🌐 Web query:
💡 Result: The release tag v6.0.2 of actions/checkout points to commit SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd, and this commit corresponds to the change “Fix tag handling: preserve annotations and explicit fetch-tags ( Citations:
Use immutable checkout pin and turn off persisted credentials. Lines 32–34 should pin Suggested patch- - uses: actions/checkout@v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0 # full history so commit-range scan covers the whole tree
+ persist-credentials: false📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.25.2)[warning] 32-34: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 32-32: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||||||||||||||||
| - name: Install gitleaks | ||||||||||||||||
|
|
||||||||||||||||
| Original file line number | Diff line number | Diff line change | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -25,7 +25,7 @@ jobs: | |||||||||||||||
| runs-on: ubuntu-22.04 | ||||||||||||||||
| steps: | ||||||||||||||||
| - name: Checkout | ||||||||||||||||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||||||||||||||||
|
Comment on lines
27
to
+28
There was a problem hiding this comment. 🧩 Analysis chain🏁 Script executed: cat -n .github/workflows/link-check.ymlRepository: Sentriscloud/sentrix-explorer-v2 Length of output: 1419 🌐 Web query:
💡 Result: Best practice for GitHub Actions: set actions/checkout with Citations:
Consider adding Line 28 should include Suggested patch - name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.25.2)[warning] 27-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) 🤖 Prompt for AI Agents |
||||||||||||||||
|
|
||||||||||||||||
| - name: Run lychee | ||||||||||||||||
| uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0 | ||||||||||||||||
|
|
||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
# First, let's read the cargo-deny.yml file to see the current state cat -n .github/workflows/cargo-deny.ymlRepository: Sentriscloud/sentrix-explorer-v2
Length of output: 953
🌐 Web query:
GitHub Actions actions/checkout persist-credentials security best practice💡 Result:
Best practice for actions/checkout persist-credentials (as of 2026-05-20): 1) Prefer not persisting credentials unless you truly need authenticated git push/write - actions/checkout persists the auth token in the local git config “to enable your scripts to run authenticated git commands” and you can disable it with persist-credentials: false to opt out [1]. - Security hardening guidance is to set persist-credentials: false for checkout steps that don’t need authenticated git operations (build/test/scan, etc.) [2]. 2) If you need git push/write, scope persistence to the smallest set of steps/jobs that require it - Persisting credentials is only needed when subsequent steps run authenticated git commands; the token is removed during post-job cleanup [1]. 3) Always apply least-privilege for GITHUB_TOKEN permissions (often the most important control) - GitHub lets you set workflow/job-level permissions for GITHUB_TOKEN, and any permission absent from the list is set to none [3]. - GitHub also states it generates a new token per job and expires it when the job completes [3]. Example hardening pattern - Read-only workflow step: uses: actions/checkout@v4 with: persist-credentials: false permissions: contents: read 4) Note on current implementation - As part of security improvements, persist-credentials now stores persisted credentials in a separate config file under $RUNNER_TEMP (instead of directly in.git/config), to isolate sensitive data [4]. Bottom line: set persist-credentials: false for checkout steps that don’t need authenticated git write operations; for workflows that still need writes, limit persistence to only those steps and combine it with restrictive GITHUB_TOKEN permissions.
Citations:
Set
persist-credentials: falseto avoid unnecessary credential persistence.Line 22 should add
persist-credentials: falsesince this job performs read-only operations (cargo-deny checks) and doesn't require authenticated git access. This follows GitHub's security hardening best practices to disable credential persistence for workflows that don't need authenticated git writes.Suggested patch
📝 Committable suggestion
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 22-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents