Bump actions/checkout from 6 to 6.0.2

[dependabot]

Bumps actions/checkout from 6 to 6.0.2.

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

• Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @​TingluoHuang in actions/checkout#2355
• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in actions/checkout#2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327
• Clarify v6 README by @​ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

v4.1.5

... (truncated)

Commits

• 6d193bf Bump braces from 3.0.2 to 3.0.3 (#1777)
• db0cee9 Bump the minor-npm-dependencies group across 1 directory with 4 updates (#1872)
• b684943 Add Ref and Commit outputs (#1180)
• 2d7d9f7 Provide explanation for where user email came from (#1869)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Workflow-only dependency pin with no application or build script changes; minor risk is CI checkout/tag behavior differing from the previous floating v6 ref.

Overview
Pins actions/checkout from the floating @v6 tag to @v6.0.2 across all GitHub Actions workflows that check out code (build, packages, riscv64, rust, CodeQL, dependency review, commit signing, and dependency Cursor review).

Secondary checkouts (e.g. Chia-Network/mpir_gc_x64 and upstream repos in the dependency review job) use the same pinned version. No workflow logic, triggers, or step inputs change—only the action reference for reproducible CI checkouts and upstream v6.0.2 fixes (tag handling, optional orchestration user-agent).

^{Reviewed by Cursor Bugbot for commit bd61cbf. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing the PR diff and upstream changes for supply-chain risk.
Verdict: benign

Summary: This is a normal Dependabot pin from floating actions/checkout@v6 to actions/checkout@v6.0.2 across your workflows. No signs of compromise; the malware scanner’s warn status is from expected false positives, not malicious upstream code.

Checklist (concise)

Category	Assessment
Obfuscation / eval / exfil	No eval/Function/encoded payloads in changed src/. dist/index.js charCodeAt hits are bundled HTTP/parser code, not payload decoders.
Network / FS / spawn	Only standard GitHub URLs (github.com, api.github.com) and @actions/exec for git — expected for this action. No persistence paths or token exfil patterns.
Unicode / GlassWorm	Scanner: 0 unicode, confusable, and IOC findings. Source changes are readable, documented tag-fetch/orchestration logic.
Dependency integrity	No lockfile or node_modules changes. package.json has no install lifecycle scripts. Tags v6 → v6.0.2 exist on official actions/checkout.
Dependabot context	.github/workflows/ edits are expected for github_actions bumps (version pin only). No new workflow logic beyond v6 → v6.0.2.

Upstream changes (v6.0.1 → v6.0.2): Tag-handling fix (ref-helper, git-source-provider), explicit --no-tags + refspec control, optional ACTIONS_ORCHESTRATION_ID in GIT_HTTP_USER_AGENT (sanitized). Matches release notes.

Scanner vs interpretation: The resolved range df4cb1c..de0fac2 is backwards for this PR (df4cb1c = current v6 tag, de0fac2 = v6.0.2), which is why the report shows large deletions instead of the real v6.0.1→v6.0.2 additions. Heuristic hits (codepoint_decoder, shell_process_spawn, CHANGELOG “exec”) are false positives for a Git checkout action; I disagree that they indicate malware.

Repo usage: Workflows use plain checkout (e.g. fetch-depth: 0); no fetch-tags: true, so the tag fix is low risk and slightly beneficial if you add tag-based flows later.

Recommendation: Safe to merge from a supply-chain perspective. Optional: pin v6.0.3 (or keep @v6) if you want the latest patch on the v6 line — that’s versioning, not security.

Compatibility Analysis

Reviewing how actions/checkout is used in workflows and whether v6.0.2 changes affect those call sites.

Compatibility & adoption analysis — actions/checkout 6 → 6.0.2

1) Usage in this repo

20 call sites across 10 workflow files (CI-only; no application/runtime dependency):

Workflow	Uses	Notable inputs
build.yml	4	fetch-depth: 0
rust.yml	4	defaults
build-packages.yml	3	secondary repo checkout (Chia-Network/mpir_gc_x64, path)
build-c-libraries.yml	2	fetch-depth: 0/1, secondary repo checkout
build-riscv64.yml	2	fetch-depth: 0
dependency-cursor-review.yml	2	ref (PR head SHA), path, fetch-depth: 0, persist-credentials: false
check-commit-signing.yml	1	fetch-depth: 0
codeql-analysis.yml	1	fetch-depth: 0
dependency-review.yml	1	defaults

Not used anywhere: fetch-tags, submodules, lfs, sparse-checkout, custom token, or post-checkout git tag/git fetch steps.

This PR also pins the version from the floating @v6 tag to explicit @v6.0.2.

---

2) Intersection with v6.0.1 / v6.0.2 changes

Upstream change	Relevant to chiavdf?
v6.0.2 — tag handling / fetch-tags fix	No — fetch-tags not used; no tag-fetch logic in workflows
v6.0.2 — orchestration_id in git user-agent	No — only when ACTIONS_ORCHESTRATION_ID is set (GitHub-internal orchestration)
v6.0.1 — worktree support for persist-credentials includeIf	Low — persist-credentials: false is set in 2 jobs; no git worktree usage observed

All other usage is standard repo checkout (fetch-depth, path, ref, secondary repos). No changed inputs or outputs are relied on in a way that should break.

---

3) Risks / unknowns

• Very low functional risk — patch release within v6; you were already on the v6 major line (Node 24 runtime, v6 credential behavior).
• Pinning tradeoff — @v6.0.2 is more reproducible than @v6, but won’t auto-pick up future patches (e.g. v6.0.3 SHA-256 fixes) until the next Dependabot bump. Acceptable for CI actions.
• No build/test surface — failure mode is limited to workflow checkout steps; existing CI on the PR is the right validation.
• Malware scan “maintainer_drift” for 6→6.0.2 is expected version metadata noise for an official GitHub action, not a supply-chain signal.

---

4) Recommendation: merge

Safe, low-impact patch pin with upstream bug fixes. No usage patterns intersect the changed behavior in a way that suggests regression risk. Merge once CI checks on PR #368 are green.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 11
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved upstream range: df4cb1c069e1874edd31b4311f1884172cec0e10..de0fac2e4500dabe0009e67214ff5f5447ce83dd
• Resolved refs: from=df4cb1c069e1874edd31b4311f1884172cec0e10 to=de0fac2e4500dabe0009e67214ff5f5447ce83dd
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 124

Top findings

• dist/index.js:4365 codepoint_decoder :: bytes.push(str.charCodeAt(i));
• dist/index.js:8273 codepoint_decoder :: return "%" + c.charCodeAt(0).toString(16).toUpperCase();
• dist/index.js:19430 codepoint_decoder :: const charCode = attributeValue.charCodeAt(0)
• dist/index.js:19582 codepoint_decoder :: const code = char.charCodeAt(0)
• dist/index.js:19605 codepoint_decoder :: const code = char.charCodeAt(0)
• dist/index.js:19642 codepoint_decoder :: const code = char.charCodeAt(0)
• dist/index.js:19663 codepoint_decoder :: const code = char.charCodeAt(0)
• dist/index.js:22961 codepoint_decoder :: bytes[byte] = binary.charCodeAt(byte)
• dist/index.js:23870 codepoint_decoder :: while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(j - 1))) --j
• dist/index.js:23871 codepoint_decoder :: while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(i))) ++i
• dist/index.js:28235 codepoint_decoder :: const c = statusText.charCodeAt(i)
• dist/index.js:28290 codepoint_decoder :: if (!isTokenCharCode(characters.charCodeAt(i))) {
• dist/index.js:29159 codepoint_decoder :: assert(input.charCodeAt(i) <= 0xFF)
• dist/index.js:29723 codepoint_decoder :: if (x.charCodeAt(index) > 255) {
• dist/index.js:29726 codepoint_decoder :: index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.
• dist/index.js:31976 codepoint_decoder :: for (let i = 'A'.charCodeAt(0); i <= 'Z'.charCodeAt(0); i++) {
• dist/index.js:35166 codepoint_decoder :: const code = char.charCodeAt(0)
• dist/index.js:36416 codepoint_decoder :: bytes.push(str.charCodeAt(i));
• dist/index.js:38112 codepoint_decoder :: if (!HEX[str.charCodeAt(i)]) {
• dist/index.js:38154 codepoint_decoder :: switch (path.charCodeAt(i)) {