Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update actions/checkout action to v4 #52

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 8, 2024

This PR contains the following updates:

Package Type Update Change
actions/checkout action major v3.6.0 -> v4.2.2

Release Notes

actions/checkout (actions/checkout)

v4.2.2

Compare Source

v4.2.1

Compare Source

v4.2.0

Compare Source

v4.1.7

Compare Source

v4.1.6

Compare Source

v4.1.5

Compare Source

What's Changed

Full Changelog: actions/checkout@v4.1.4...v4.1.5

v4.1.4

Compare Source

v4.1.3

Compare Source

What's Changed

Full Changelog: actions/checkout@v4.1.2...v4.1.3

v4.1.2

Compare Source

v4.1.1

Compare Source

What's Changed
New Contributors

Full Changelog: actions/checkout@v4.1.0...v4.1.1

v4.1.0

Compare Source

v4.0.0

Compare Source


Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link

github-actions bot commented May 8, 2024

[puLL-Merge] - actions/[email protected]

Description

This PR makes several changes to the actions/checkout repository, including:

  • Updating the default Node version to 20.x
  • Adding a new filter option to partially clone the repository
  • Adding a new show-progress option to control fetch progress output
  • Disabling sparse-checkout when not explicitly enabled
  • Adding dependabot config for automated dependency updates
  • Updating test workflows and adding a new test-ubuntu-git container image

The motivation for these changes appears to be:

  • Keeping actions/checkout up-to-date with the latest Node.js runtime
  • Providing more flexibility and control over the checkout process with new filter and show-progress options
  • Ensuring proper behavior when sparse-checkout is not used
  • Automating dependency management with dependabot
  • Improving the robustness of the test suite
Changes

Changes

.github/dependabot.yml:

  • Added new dependabot configuration for automated npm and GitHub Actions dependency updates

.github/workflows/check-dist.yml:

  • Updated Node.js version from 16.x to 20.x

.github/workflows/test.yml:

  • Updated actions/checkout version to v4.1.1 in some steps
  • Added a new step to test the new filter option
  • Added a new step to test disabling sparse-checkout in an existing checkout
  • Updated the test-proxy job to use a new test-ubuntu-git container image

.github/workflows/update-main-version.yml:

  • Added v4 as a new major version option
  • Updated the actions/checkout version used in the workflow to v4.1.1

.github/workflows/update-test-ubuntu-git.yml:

  • Added new workflow to build and publish the test-ubuntu-git container image

images/test-ubuntu-git.Dockerfile & images/test-ubuntu-git.md:

  • Added a new Ubuntu-based container image with git pre-installed for testing

src/ & test/ folders:

  • Updated code and tests to support the new filter and show-progress options
  • Added logic to disable sparse-checkout when not explicitly enabled
  • Bumped minimum required git version for sparse-checkout to 2.28

Security Hotspots

  1. High risk: The new filter option allows partially cloning the repository, which could potentially allow leaking sensitive data if not properly validated. The implementation should ensure filter values are properly sanitized.

  2. Medium risk: The bump to Node.js 20.x runtime could introduce new vulnerabilities. The code changes should be thoroughly reviewed and tested, especially around any new or changed dependencies.

  3. Low risk: Allowing dependabot to automatically update dependencies could pull in vulnerable versions if not configured properly. The dependabot configuration should specify safe version ranges and be monitored closely.

Overall, this is a significant set of changes that touch many parts of the codebase. While the new features seem useful, care should be taken in reviewing and testing the security of the new filter option and Node.js 20.x upgrade prior to release. Setting up automated dependency scanning would also help mitigate risks from the dependabot updates.

@renovate renovate bot force-pushed the renovate/actions-checkout-4.x branch from 0c60e0b to 79d99d4 Compare May 8, 2024 21:22
@renovate renovate bot force-pushed the renovate/actions-checkout-4.x branch from 79d99d4 to f9050b0 Compare May 20, 2024 21:18
@renovate renovate bot force-pushed the renovate/actions-checkout-4.x branch from f9050b0 to c3011a0 Compare June 16, 2024 22:32
@renovate renovate bot force-pushed the renovate/actions-checkout-4.x branch 2 times, most recently from 32a959f to d83c744 Compare September 30, 2024 16:49
@renovate renovate bot force-pushed the renovate/actions-checkout-4.x branch from d83c744 to 647b58d Compare October 11, 2024 18:20
@renovate renovate bot force-pushed the renovate/actions-checkout-4.x branch from 647b58d to 7af3131 Compare October 27, 2024 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants