build: update checkout action to v5

[rejected-l]

GitHub-hosted runners now use Node 24, so actions/checkout@v5 is required. Minimum runner version v2.327.1. Workflows only updated—no functional changes.

See: https://github.com/actions/checkout/releases/tag/v5.0.0

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
warden-help-center	⬜️ Ignored	Preview		Aug 12, 2025 10:26am

[coderabbitai]

📝 Walkthrough

Walkthrough

All modified GitHub Actions workflows update the checkout step from actions/checkout@v4 to actions/checkout@v5. No other steps, parameters, or control flow were changed.

Changes

Cohort / File(s)	Summary
Automated Orders .github/workflows/automated-orders-relayer.yml, .github/workflows/automated-orders-scheduler.yml	Update checkout step to actions/checkout@v5.
Go Clients & Services .github/workflows/go-client.yml, .github/workflows/go-mod-tidy.yml, .github/workflows/integration-tests.yml, .github/workflows/keychain-sdk.yml, .github/workflows/shield.yml, .github/workflows/faucet.yml, .github/workflows/wardend.yaml, .github/workflows/wardenkms.yml, .github/workflows/spaceward.yml	Bump actions/checkout from v4 to v5 (some workflows have two occurrences: lint and unit-test jobs).
Contracts & Solidity .github/workflows/contracts.yml, .github/workflows/soliditygen.yml	Switch actions/checkout to v5.
Build & Release .github/workflows/build_push.yml, .github/workflows/release-docker-images.yml, .github/workflows/release-wardend-binaries.yaml, warden/.github/workflows/release.yml	Upgrade checkout steps to v5 (multiple jobs where applicable).
Repo Maintenance .github/workflows/buf-ci.yaml, .github/workflows/license.yml, .github/workflows/changelog-reminder.yml	Replace actions/checkout@v4 with @v5.
Security Scanning .github/workflows/scan-fs.yaml	Update checkout step to v5 in Trivy FS workflow.

Sequence Diagram(s)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ci: bump actions/checkout to v4 #1462 — Prior PR bumping actions/checkout to v4 in similar workflow files; directly related to the same steps now updated to v5.
• ci: use different builders for different archs #1640 — Restructures release workflows (e.g., release-docker-images); overlaps with files updated here for checkout version.

Suggested reviewers

• Pitasi
• jlehtimaki

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (12)

warden/.github/workflows/release.yml (1)

22-22: Consider pinning checkout to a commit SHA for supply-chain hardening.

Pinning to a specific commit of v5 (instead of the floating tag) reduces the blast radius of a compromised tag.

Example (replace with the v5 commit SHA you intend to trust):

-uses: actions/checkout@v5
+uses: actions/checkout@<v5-commit-sha>

.github/workflows/go-mod-tidy.yml (1)

10-10: Optional: Pin checkout to its commit SHA.

Using a commit SHA instead of a tag further hardens the workflow against tag hijacking.

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@<v5-commit-sha>

.github/workflows/wardenkms.yml (1)

27-27: Optional: Pin both checkout steps to the v5 commit SHA.

Consistent pinning across jobs strengthens supply-chain posture.

-      - uses: actions/checkout@v5
+      - uses: actions/checkout@<v5-commit-sha>

Repeat for both steps.

Also applies to: 42-42

.github/workflows/spaceward.yml (1)

24-24: Optional: Pin checkout to a specific commit SHA.

Prevents unexpected changes from tag moves.

-        uses: actions/checkout@v5
+        uses: actions/checkout@<v5-commit-sha>

.github/workflows/release-wardend-binaries.yaml (1)

18-18: Optional: Pin checkout to the v5 commit SHA in both jobs.

Improves integrity of release workflows by avoiding floating tags.

-        uses: actions/checkout@v5
+        uses: actions/checkout@<v5-commit-sha>

Apply to both occurrences.

Also applies to: 47-47

.github/workflows/build_push.yml (1)

33-33: Checkout bumped to v5 — correct for current runner baselines

Change looks correct and isolated. Optional: if your org enforces supply-chain hardening, consider pinning actions to full commit SHAs (with a trailing comment noting the version), e.g., actions/checkout@ # v5.

.github/workflows/automated-orders-scheduler.yml (1)

33-33: All workflows now use actions/checkout@v5 – please verify self-hosted runner versions

• Confirmed zero occurrences of actions/checkout@v1–v4 across all .github/workflows and warden/.github/workflows.
• Ensure any self-hosted runners are running runner version ≥ 2.327.1 to support the Node 24 runtime.
• (Optional) For supply-chain hardening, pin actions/checkout@v5 to a specific commit SHA.

.github/workflows/integration-tests.yml (1)

13-13: LGTM on checkout@v5; consider fetch-depth if tests rely on history

• The change is correct and consistent with the PR objective.
• If integration tests rely on Git history (e.g., tags, versioning), add fetch-depth: 0 to the checkout step; otherwise, default depth=1 is fine.

.github/workflows/faucet.yml (1)

33-33: Consistent upgrade to checkout@v5 in both jobs—looks good

• Both lint and unit-test jobs now use actions/checkout@v5 as required.
• Optional: Pin to a specific commit SHA for actions/checkout to strengthen supply-chain security.
• For self-hosted runners (if any), ensure runner >= 2.327.1.

Also applies to: 48-48

.github/workflows/license.yml (1)

25-25: LGTM: checkout@v5 applied

• Matches the repo-wide upgrade goal.
• If this job ever needs full history for license checks, consider fetch-depth: 0; otherwise current default is fine.

.github/workflows/soliditygen.yml (1)

19-19: LGTM: checkout@v5 in lint and test jobs

• Upgrade is correct and consistent across jobs.
• Optional: Pin to a commit SHA for actions/checkout to reduce supply-chain risk.

Also applies to: 34-34

.github/workflows/shield.yml (1)

34-34: Second checkout step correctly updated to v5

Matches the PR objective; no functional changes introduced. If you adopt pinning and permissions from the prior comment, apply them consistently here too.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3dc6b02 and 7f75f1a.

📒 Files selected for processing (21)

• .github/workflows/automated-orders-relayer.yml (1 hunks)
• .github/workflows/automated-orders-scheduler.yml (1 hunks)
• .github/workflows/buf-ci.yaml (1 hunks)
• .github/workflows/build_push.yml (1 hunks)
• .github/workflows/changelog-reminder.yml (1 hunks)
• .github/workflows/contracts.yml (1 hunks)
• .github/workflows/faucet.yml (2 hunks)
• .github/workflows/go-client.yml (2 hunks)
• .github/workflows/go-mod-tidy.yml (1 hunks)
• .github/workflows/integration-tests.yml (1 hunks)
• .github/workflows/keychain-sdk.yml (2 hunks)
• .github/workflows/license.yml (1 hunks)
• .github/workflows/release-docker-images.yml (2 hunks)
• .github/workflows/release-wardend-binaries.yaml (2 hunks)
• .github/workflows/scan-fs.yaml (1 hunks)
• .github/workflows/shield.yml (2 hunks)
• .github/workflows/soliditygen.yml (2 hunks)
• .github/workflows/spaceward.yml (1 hunks)
• .github/workflows/wardend.yaml (2 hunks)
• .github/workflows/wardenkms.yml (2 hunks)
• warden/.github/workflows/release.yml (1 hunks)

🔇 Additional comments (12)

warden/.github/workflows/release.yml (2)

22-22: Upgrade to actions/checkout@v5 looks good.

Aligned with Node 24 on GH-hosted runners; fetch-depth retained as 0 for full history. No functional changes introduced here.

---

22-22: All workflows use actions/checkout@v5
Verified across all .github/workflows (including hidden dirs); no references to v1–v4 remain.

.github/workflows/go-mod-tidy.yml (1)

10-10: LGTM on bump to actions/checkout@v5.

Matches the PR objective; no other changes to the job.

.github/workflows/wardenkms.yml (1)

27-27: Both checkout steps updated to v5 — looks correct.

Consistent across lint and unit-test jobs.

Also applies to: 42-42

.github/workflows/spaceward.yml (1)

24-24: LGTM: checkout upgraded to v5.

No other behavior changes; the rest of the Node/pnpm setup remains intact.

.github/workflows/release-wardend-binaries.yaml (1)

18-18: Both build jobs correctly updated to actions/checkout@v5.

fetch-depth: 0 preserved, which is typically required for release/version logic. Looks good.

Also applies to: 47-47

.github/workflows/buf-ci.yaml (1)

28-28: All workflows updated to actions/checkout@v5 — Verified no remaining references to older checkout versions in .github/workflows or warden/.github/workflows. Approved.
Please confirm any self-hosted runners meet the minimum version requirement for checkout v5 as noted in the PR description.

.github/workflows/release-docker-images.yml (1)

31-31: Both checkout steps correctly bumped to v5

This is the right change for Node 24 default runners; fetch-depth remains explicitly set to 0, which is preserved behavior.

If any jobs run on self-hosted runners (e.g., arm), please confirm the runner version meets the minimum required for checkout v5 as per the PR description to avoid runtime failures.

Also applies to: 65-65

.github/workflows/wardend.yaml (2)

32-32: Checkout v5 in lint job — LGTM

No functional changes beyond the version bump.

---

47-47: Checkout v5 in unit-test job — LGTM

No functional changes beyond the version bump.

If you rely on self-hosted runners for these jobs, please confirm they meet the minimum runner version stated in the PR description for checkout v5 compatibility.

.github/workflows/changelog-reminder.yml (1)

16-16: Checkout v5 upgrade — LGTM

No other workflow logic changed; behavior remains the same.

.github/workflows/automated-orders-relayer.yml (1)

31-31: Pin checkout action to v5.0.0 and disable credential persistence

Pin the checkout action to an exact version and drop credentials for least privilege:

-        uses: actions/checkout@v5
+        uses: actions/checkout@v5.0.0
+        with:
+          persist-credentials: false

Verification:

• No other actions/checkout@v1–v4 usages found in .github/workflows.
• No self-hosted runners detected.

[Pitasi]

thanks!