ci: bump actions/checkout from 6.0.2 to 6.0.3

[dependabot]

Bumps actions/checkout from 6.0.2 to 6.0.3.

Release notes

Sourced from actions/checkout's releases.

v6.0.3

What's Changed

• Update changelog by @​ericsciple in actions/checkout#2357
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414
• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• Update changelog for v6.0.3 by @​yaananth in actions/checkout#2446

New Contributors

• @​yaananth made their first contribution in actions/checkout#2414

Full Changelog: actions/checkout@v6...v6.0.3

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.3

• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774

... (truncated)

Commits

• df4cb1c Update changelog for v6.0.3 (#2446)
• 1cce339 Fix checkout init for SHA-256 repositories (#2439)
• 900f221 fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)
• 0c366fd Update changelog (#2357)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow dependencies to use the latest checkout action version across CI and release pipelines.

[coderabbitai]

📝 Walkthrough

Walkthrough

Both the CI and release GitHub Actions workflows are updated to pin actions/checkout to version v6.0.3, replacing the previous v6.0.2 pin. No workflow logic, job structure, or trigger conditions are changed.

Changes

GitHub Actions Updates

Layer / File(s)	Summary
Checkout action version pins .github/workflows/ci.yml, .github/workflows/release.yml	actions/checkout is pinned to v6.0.3 in both the CI workflow (line 15) and release workflow (line 42), replacing the v6.0.2 pins.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 The checkout action hops to v6.0.3,
Consistent pinning across CI and release,
A tiny update, swift and clean—
The most stable workflows we've ever seen!
✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: bumping the actions/checkout dependency from version 6.0.2 to 6.0.3 across CI workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/actions/checkout-6.0.3

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Line 42: The checkout step using "uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" in the release
workflow should set persist-credentials: false; update the checkout step in the
build job to include persist-credentials: false so the workflow does not persist
the GITHUB_TOKEN to local git config (keep the same uses reference and add the
persist-credentials key under that step).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: eeebcef4-d2f0-47a3-90eb-a286a49d0738

📥 Commits

Reviewing files that changed from the base of the PR and between 0c036d9 and 6465de9.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify checkout steps missing persist-credentials hardening.
rg -n -C2 'uses:\s*actions/checkout@' .github/workflows \
  && rg -n -C2 'persist-credentials:\s*false' .github/workflows

Repository: gominimal/kittyview

Length of output: 772

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== release.yml around checkout (lines 30-80) ==="
nl -ba .github/workflows/release.yml | sed -n '30,90p'

echo
echo "=== Any artifact handling in release.yml ==="
rg -n "upload-artifact|download-artifact|artifact" .github/workflows/release.yml || true

echo
echo "=== Any other checkout steps with persist-credentials in workflows ==="
rg -n "persist-credentials:" .github/workflows || true

Repository: gominimal/kittyview

Length of output: 174

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== release.yml around checkout (lines 30-80) ==="
awk 'NR>=30 && NR<=80 {print NR ":" $0}' .github/workflows/release.yml

echo
echo "=== Any artifact handling in release.yml ==="
rg -n "upload-artifact|download-artifact|artifact" .github/workflows/release.yml || true

echo
echo "=== Any checkout steps with persist-credentials in workflows ==="
rg -n "persist-credentials:" .github/workflows || true

Repository: gominimal/kittyview

Length of output: 2226

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== release.yml lines 70-160 ==="
awk 'NR>=70 && NR<=160 {print NR ":" $0}' .github/workflows/release.yml

echo
echo "=== Any actions/checkout@ usage in release.yml ==="
rg -n "uses:\s*actions/checkout@" .github/workflows/release.yml

Repository: gominimal/kittyview

Length of output: 1138

---

Add persist-credentials: false to checkout in the release workflow.

actions/checkout in the build job (line 42) runs before artifact packaging/upload, and it currently doesn’t disable persisting the token to the local git config.

Suggested patch

-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
	- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 42-42: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 42, The checkout step using "uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" in the release
workflow should set persist-credentials: false; update the checkout step in the
build job to include persist-credentials: false so the workflow does not persist
the GITHUB_TOKEN to local git config (keep the same uses reference and add the
persist-credentials key under that step).

Source: Linters/SAST tools