Bump actions/checkout from 4 to 5

[dependabot]

Bumps actions/checkout from 4 to 5.

Release notes

Sourced from actions/checkout's releases.

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236
• Prepare release v4.3.0 by @​salmanmkc in actions/checkout#2237

New Contributors

• @​motss made their first contribution in actions/checkout#1971
• @​mouismail made their first contribution in actions/checkout#1977
• @​benwells made their first contribution in actions/checkout#2043
• @​nebuk89 made their first contribution in actions/checkout#2194
• @​salmanmkc made their first contribution in actions/checkout#2236

Full Changelog: actions/checkout@v4...v4.3.0

v4.2.2

What's Changed

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

Full Changelog: actions/checkout@v4.2.1...v4.2.2

v4.2.1

What's Changed

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

New Contributors

• @​Jcambass made their first contribution in actions/checkout#1919

Full Changelog: actions/checkout@v4.2.0...v4.2.1

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

V5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

V4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

v4.1.5

• Update NPM dependencies by @​cory-miller in actions/checkout#1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in actions/checkout#1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in actions/checkout#1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in actions/checkout#1695
• README: Suggest user.email to be 41898282+github-actions[bot]@users.noreply.github.com by @​cory-miller in actions/checkout#1707

v4.1.4

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in actions/checkout#1692
• Add dependabot config by @​cory-miller in actions/checkout#1688
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in actions/checkout#1693
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in actions/checkout#1643

v4.1.3

... (truncated)

Commits

• 08c6903 Prepare v5.0.0 release (#2238)
• 9f26565 Update actions checkout to use node 24 (#2226)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Resolves #2238
Resolves #2226
Resolves actions/checkout#2226
Resolves actions/checkout#2238
Resolves actions/checkout#1971
Resolves actions/checkout#1977
Resolves actions/checkout#2043
Resolves actions/checkout#2044
Resolves actions/checkout#2194
Resolves actions/checkout#2224
Resolves actions/checkout#2236
Resolves actions/checkout#2237
Resolves actions/checkout#1941
Resolves actions/checkout#1946
Resolves actions/checkout#1924
Resolves actions/checkout#1919
Resolves actions/checkout#1180
Resolves actions/checkout#1777
Resolves actions/checkout#1872
Resolves actions/checkout#1739
Resolves actions/checkout#1697
Resolves actions/checkout#1774
Resolves actions/checkout#1776
Resolves actions/checkout#1732
Resolves actions/checkout#1703
Resolves actions/checkout#1694
Resolves actions/checkout#1696
Resolves actions/checkout#1695
Resolves actions/checkout#1707
Resolves actions/checkout#1692
Resolves actions/checkout#1688
Resolves actions/checkout#1693
Resolves actions/checkout#1643

[github-actions]

🤖 Claude PR Review

PR Review Results

This PR updates the GitHub Actions checkout action from v4 to v5. Here's the review against your checklist:

Code Quality

• ✅ Code follows our style guide - The YAML syntax is correct and follows GitHub Actions conventions
• ✅ No commented-out code - Clean, no commented code present
• ✅ Meaningful variable names - N/A for this change (no new variables introduced)
• ✅ DRY principle followed - N/A for this change (simple version bump)

Testing

• ❌ Unit tests for new functions - No tests included, but this is a dependency version update
• ❌ Integration tests for new endpoints - N/A (no new endpoints)
• ❌ Edge cases covered - N/A for dependency update
• ❌ Test coverage > 80% - N/A for workflow configuration change

Note: For a GitHub Actions dependency update like this, traditional unit/integration tests don't apply. The workflow itself should be tested by running it in a PR to verify compatibility.

Documentation

• ❌ README updated if needed - No README update provided. Should document why v5 was chosen
• ❌ API docs updated - N/A (no API changes)
• ❌ Inline comments for complex logic - N/A (no complex logic added)
• ❌ CHANGELOG.md updated - No CHANGELOG update found for this dependency bump

Recommendation: Add a brief note in CHANGELOG about the actions/checkout upgrade.

Security

• ✅ No hardcoded credentials - All secrets properly referenced via ${{ secrets.* }}
• ✅ Input validation implemented - N/A for this change
• ✅ Proper error handling - Existing error handling maintained
• ✅ No sensitive data in logs - No sensitive data exposed

Additional Observations

What changed: Simple version bump from actions/checkout@v4 to actions/checkout@v5

Why this matters: The actions/checkout v5 update likely includes:

• Bug fixes and security patches
• Potential performance improvements
• Node.js runtime updates

Risks: Low risk change, but should verify:

• That fetch-depth: 0 parameter remains compatible with v5
• That the workflow runs successfully with the new version

Overall Assessment: ✅ This is a low-risk maintenance update that follows best practices for keeping dependencies current. The main gaps are documentation-related rather than code quality issues.

---

Automated review via Claude Code CLI

[github-actions]

🤖 Claude PR Review

I'll review this PR against your team checklist.

PR Review: Update actions/checkout from v4 to v5

Code Quality

• ✅ Code follows our style guide - YAML syntax is correct and follows GitHub Actions conventions
• ✅ No commented-out code - Clean diff with no commented code
• ✅ Meaningful variable names - N/A (dependency version bump only)
• ✅ DRY principle followed - N/A (single line change)

Testing

• ⚠️ Unit tests for new functions - N/A (infrastructure change, but workflow should be tested)
• ⚠️ Integration tests for new endpoints - N/A (no endpoints involved)
• ⚠️ Edge cases covered - Should verify the workflow runs successfully with v5
• ⚠️ Test coverage > 80% - N/A (not applicable to workflow files)

Recommendation: The PR should include evidence that the workflow was tested (e.g., successful workflow run with the new version).

Documentation

• ❌ README updated if needed - Not applicable but migration notes would be helpful
• ❌ API docs updated - N/A (no API changes)
• ❌ Inline comments for complex logic - N/A (simple version bump)
• ❌ CHANGELOG.md updated - MISSING - This dependency update should be documented in CHANGELOG.md

Issue: The CHANGELOG.md should include an entry about updating to actions/checkout@v5.

Security

• ✅ No hardcoded credentials - None added
• ✅ Input validation implemented - N/A (GitHub Actions handles this)
• ✅ Proper error handling - Inherits from the action itself
• ✅ No sensitive data in logs - No changes affecting logging

---

Summary

Overall Assessment: ✅ Mostly acceptable with minor improvements needed

Critical Issues: None

Recommendations:

1. Add CHANGELOG.md entry documenting the dependency update
2. Verify compatibility - Ensure actions/checkout@v5 is compatible with fetch-depth: 0 parameter (it should be, but worth confirming)
3. Test evidence - Link to a successful workflow run using v5 in the PR description

Breaking Changes: None expected - actions/checkout@v5 is backward compatible with v4

This is a straightforward dependency update that improves security and performance. The main gap is documentation in the CHANGELOG.

---

Automated review via Claude Code CLI

[github-actions]

🤖 Claude Code Review

⚠️ No file changes detected - skipping code review.

This PR appears to contain only metadata changes (labels, description, etc.).