Bump actions/checkout from 5 to 6

[dependabot]

Bumps actions/checkout from 5 to 6.

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

Commits

• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[jayaddison]

@kou please note: although @dependabot intended to upgrade this action to v6 in this PR, the SHA-versioned lines (three in total, I think) were in fact updated to v5.0.1.

The more-recent Dependabot PR #1490 has fixed this and updated to v6.0.1 -- even so, I would not currently recommend mixing SHA-versioned and tag-versioned references to the same action within a single repository's GitHub Actions workflows.

[kou]

OK. How about this? #1493

[jayaddison]

I think that the improved versioning comments in that PR are helpful. I'd add a caution, though, that, as I understand it, Dependabot alerts are not able to scan and issue vulnerability notices for actions referenced from workflow files using SHA1 referencing. I learned that from the somewhat-popular, yet-to-be-resolved discussion thread titled Please make Dependabot Alerts support SHA-hash-versioned GitHub Actions at: https://github.com/orgs/community/discussions/154189

[jayaddison]

NB: an update resolving the downgrade when using mixed SHA/tag version references has been applied and released in Dependabot v0.364.0 (released 2026-03-05): dependabot/dependabot-core#14349

[kou]

Thanks for sharing the note!