brave-wallet-docs icon indicating copy to clipboard operation
brave-wallet-docs copied to clipboard

chore(deps): update actions/checkout action to v4

Open renovate[bot] opened this issue 1 year ago • 1 comments

This PR contains the following updates:

Package Type Update Change
actions/checkout action major v3.6.0 -> v4.1.7

Release Notes

actions/checkout (actions/checkout)

v4.1.7

Compare Source

v4.1.6

Compare Source

v4.1.5

Compare Source

What's Changed

Full Changelog: https://github.com/actions/checkout/compare/v4.1.4...v4.1.5

v4.1.4

Compare Source

v4.1.3

Compare Source

What's Changed

Full Changelog: https://github.com/actions/checkout/compare/v4.1.2...v4.1.3

v4.1.2

Compare Source

v4.1.1

Compare Source

What's Changed
New Contributors

Full Changelog: https://github.com/actions/checkout/compare/v4.1.0...v4.1.1

v4.1.0

Compare Source

v4.0.0

Compare Source


Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] avatar May 08 '24 11:05 renovate[bot]

[puLL-Merge] - actions/[email protected]

Here is my review of the PR:

Description

This PR makes several updates and improvements to the actions/checkout action:

  • Bumps the major version to v4
  • Updates to using node20 runtime
  • Adds support for git partial clone filters
  • Adds an option to specify the SSH user
  • Allows disabling progress status output when fetching
  • Fixes an issue with disabling sparse checkout
  • Adds a new test container image and associated workflows
  • Updates workflows, tests, docs and other minor changes

The motivation seems to be adding some new features, fixing bugs, and updating the runtime and dependencies.

Changes

Changes

  • .github/dependabot.yml - Adds dependabot config for npm and GitHub Actions dependencies
  • .github/workflows/check-dist.yml - Updates Node.js version to 20.x for the build job
  • .github/workflows/test.yml - Updates Node.js to 20.x, bumps actions/checkout to v4.1.1, adds new test cases for fetch filter and disabled sparse checkout, updates test container image
  • .github/workflows/update-main-version.yml - Adds v4 option for updating main version, pins to actions/[email protected]
  • .github/workflows/update-test-ubuntu-git.yml - New workflow to publish test container image
  • CHANGELOG.md - Adds changelog entries for v4.1.4, v4.1.3, v4.1.2, v4.1.1, v4.1.0, v4.0.0
  • CODEOWNERS - Updates codeowners
  • README.md - Updates to v4, adds docs for new options
  • __test__/* - Updates tests for new functionality
  • action.yml - Bumps to node20, adds new action inputs
  • dist/index.js - Updates compiled JavaScript
  • images/test-ubuntu-git.Dockerfile - New Dockerfile for test container
  • images/test-ubuntu-git.md - Documentation for test container
  • package.json - Bumps version to 4.1.4, updates @types/node
  • src/* - TypeScript source changes for new features and fixes

Security Hotspots

  1. Medium - The new ssh-user input allows specifying an arbitrary SSH username. Need to ensure this doesn't enable command injection or other misuse. Input should be validated.

  2. Low - Several dependencies were bumped which could introduce new vulnerabilities. The diff doesn't show the exact versions bumped to so can't assess further. Dependabot should help keep things patched.

  3. Low - New test container image and workflow has write permission to packages. Ensure the access token used has least privilege.

Overall the changes look good with useful additions and fixes. I would suggest a careful review of the new ssh-user handling and some more details on the dependency updates before merging. The test coverage also looks solid which is great to see for a new major version. Nice work!

Let me know if you have any other questions!

github-actions[bot] avatar May 08 '24 11:05 github-actions[bot]