Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update actions/checkout action to v4 #14

Merged
merged 1 commit into from
May 9, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 8, 2024

Mend Renovate

This PR contains the following updates:

Package Type Update Change
actions/checkout action major v3.6.0 -> v4.1.5

Release Notes

actions/checkout (actions/checkout)

v4.1.5

Compare Source

What's Changed

Full Changelog: actions/checkout@v4.1.4...v4.1.5

v4.1.4

Compare Source

v4.1.3

Compare Source

What's Changed

Full Changelog: actions/checkout@v4.1.2...v4.1.3

v4.1.2

Compare Source

v4.1.1

Compare Source

What's Changed
New Contributors

Full Changelog: actions/checkout@v4.1.0...v4.1.1

v4.1.0

Compare Source

v4.0.0

Compare Source


Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Copy link

github-actions bot commented May 8, 2024

[puLL-Merge] - actions/[email protected]

Here is my review of the PR:

Description

This PR updates the actions/checkout action from v3 to v4. The main changes are:

  • Update to node20 runtime
  • Add support for partial clone filters
  • Several bug fixes and improvements

The motivation seems to be modernizing the action, adding new features like partial clone filters, and fixing some bugs.

Changes

Changes

  • .github/dependabot.yml: Added dependabot configuration file
  • .github/workflows/: Updated workflows to use node20 instead of node16, added workflow to publish test-ubuntu-git container image
  • CHANGELOG.md: Added entries for v4.1.4, v4.1.3, v4.1.2, v4.1.1, v4.1.0, v4.0.0 releases
  • README.md: Updated usage examples to reference v4 instead of v3
  • test/: Added tests for new partial clone filter functionality, sparse-checkout disable, and showing fetch progress
  • action.yml: Updated to node20, added new input options for filter, show-progress, ssh-user
  • dist/index.js: Regenerated dist file with source changes
  • images/: Added Dockerfile and documentation for new test-ubuntu-git container image
  • package.json: Bumped version to 4.1.4, updated @types/node dev dependency
  • src/: Source code changes to add filter option, disable sparse-checkout, show progress on fetch, allow configuring ssh user

Security Hotspots

  1. action.yml and dist/index.js allow configuring the ssh user when fetching over ssh. Make sure this doesn't open up any unintended access. The default is still restricted to the git user which is good.

  2. The images/test-ubuntu-git container image should be carefully reviewed to ensure it only contains what is necessary for testing and no additional tools that could be used as an attack vector if compromised.

  3. The new filter option allows partial clones which can be used to drastically reduce the amount of data fetched. This is good for performance but we should verify it doesn't enable any unintended access to parts of the repository.

Overall this looks like a solid, incremental release for v4 of the checkout action. The partial clone filter and sparse-checkout disable are nice additions. Bumping the node runtime to node20 keeps things modern. And the new progress and ssh options add some additional flexibility. Just give a careful look at the few potential security hotspots noted but I don't see anything too concerning. Nice work!

@thypon thypon merged commit 4dd20bf into main May 9, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant