Closed renovate[bot] closed 3 months ago
[puLL-Merge] - actions/checkout@v4.1.1..v4.1.3
Here is my code review for this PR:
This PR makes several changes and improvements to the actions/checkout codebase:
actions/checkout
in workflows to more stable versions test-ubuntu-git
container image for testing actions/checkout in CI/CDThe motivation seems to be improving the robustness and configurability of the action, especially around newer Git features like sparse checkout.
url-helper.ts
is now taking an arbitrary user-provided string (sshUser
) and injecting it into the Git URL. This could allow specifying a malicious username. However, the risk seems low since this is used only in the context of an SSH URL with a pre-configured key. The other side would still need to accept the auth.test-ubuntu-git
Dockerfile should pin the versions of its base image and any packages installed to avoid supply chain risks from upstream images changing unexpectedly.Overall this looks like a solid set of improvements. I'd recommend moving forward after considering the minor security points mentioned. Nice work!
This PR contains the following updates:
v4.1.1
->v4.1.3
Release Notes
actions/checkout (actions/checkout)
### [`v4.1.3`](https://togithub.com/actions/checkout/releases/tag/v4.1.3) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.2...v4.1.3) #### What's Changed - Update `actions/checkout` version in `update-main-version.yml` by [@jww3](https://togithub.com/jww3) in [https://github.com/actions/checkout/pull/1650](https://togithub.com/actions/checkout/pull/1650) - Check git version before attempting to disable `sparse-checkout` by [@jww3](https://togithub.com/jww3) in [https://github.com/actions/checkout/pull/1656](https://togithub.com/actions/checkout/pull/1656) - Add SSH user parameter by [@cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1685](https://togithub.com/actions/checkout/pull/1685) **Full Changelog**: https://github.com/actions/checkout/compare/v4.1.2...v4.1.3 ### [`v4.1.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v412) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.1...v4.1.2) - Fix: Disable sparse checkout whenever `sparse-checkout` option is not present [@dscho](https://togithub.com/dscho) in [https://github.com/actions/checkout/pull/1598](https://togithub.com/actions/checkout/pull/1598)Configuration
š Schedule: Branch creation - " 0-4 * 3" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.