build(deps): Bump actions/checkout from 4.2.2 to 6.0.2

[dependabot]

Bumps actions/checkout from 4.2.2 to 6.0.2.

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

• Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @​TingluoHuang in actions/checkout#2355
• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in actions/checkout#2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327
• Clarify v6 README by @​ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Feb 24, 2026, 9:48 AM

[claude]

Claude finished @julienrbrt's task in 1m 35s —— View job

---

Code Review: actions/checkout v4.2.2 → v6.0.2

• Gather context and analyze changed files
• Review workflow changes
• Assess security and compatibility implications
• Final summary

---

Summary

This PR is a dependabot-generated bump of actions/checkout from v4.2.2 to v6.0.2 across 18 workflow files. The changes are mechanically straightforward — all version references are updated consistently. The PR has already been merged and passed CI (buf-check, and approved by @julienrbrt).

---

Notable Observations

1. Inconsistent Action Pinning Strategy (Security)

benchmark.yml:19 uses a full SHA hash pin:

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

All other 17 files use a floating version tag:

- uses: actions/checkout@v6.0.2

This inconsistency likely reflects that benchmark.yml was previously pinned by a tool like pin-github-action or Renovate, while the rest were not. Tag-based references are mutable — a compromised or force-pushed tag could silently substitute malicious code in CI. For workflows with elevated permissions (e.g., dependabot-auto-fix.yml with contents: write and pull-requests: write), hash pinning is particularly important.

Recommendation: Standardize all workflow files to use SHA hash pinning. Tools like Renovate or pin-github-action can automate this. Fix this →

2. v6 Security Improvement Worth Noting

The key change in v6.0.0 is that persist-credentials now stores git credentials under $RUNNER_TEMP instead of directly in .git/config. This reduces the risk of credentials leaking via git config inspection within a workflow step. This is a genuine security improvement and a good reason to upgrade.

3. Major Version Jump (v4 → v6)

The PR skips v5. This is fine — v5 and v6 both moved to Node.js 24. v6 adds the credential storage improvement over v5. The compatibility score badge in the PR description confirms Dependabot validated the transition.

Runtime requirement: v6 requires Actions Runner ≥ v2.329.0. GitHub-hosted runners are auto-updated, so this is not a concern unless self-hosted runners are in use.

4. High-Permission Workflow Without Hash Pinning

.github/workflows/dependabot-auto-fix.yml has contents: write + pull-requests: write permissions and uses the mutable @v6.0.2 tag reference. This is the highest-risk combination — an action supply-chain compromise here could push malicious commits to branches.

5. Minor: git add -A in dependabot-auto-fix.yml

Unrelated to this PR but worth flagging: dependabot-auto-fix.yml:36 uses git add -A which stages all untracked files, including any sensitive files that may have been created during the workflow run. A more targeted git add go.mod go.sum **/go.mod **/go.sum would be safer.

---

Verdict

The version bump itself is correct and the changes are consistent across all affected files. The v6 upgrade brings a meaningful security improvement for credential handling. No blocking issues with the changes themselves. The inconsistency in pinning strategy is a pre-existing concern worth addressing separately.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.90%. Comparing base (a5ef771) to head (30fb305).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3103      +/-   ##
==========================================
- Coverage   60.97%   60.90%   -0.08%     
==========================================
  Files         113      113              
  Lines       11617    11617              
==========================================
- Hits         7084     7075       -9     
- Misses       3734     3743       +9     
  Partials      799      799              

Flag	Coverage Δ
combined	60.90% <ø> (-0.08%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.