Skip to content

Bump actions/checkout from 6.0.2 to 6.0.3#8

Open
dependabot[bot] wants to merge 5 commits into
mainfrom
dependabot/github_actions/actions/checkout-6.0.3
Open

Bump actions/checkout from 6.0.2 to 6.0.3#8
dependabot[bot] wants to merge 5 commits into
mainfrom
dependabot/github_actions/actions/checkout-6.0.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 10, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 6.0.2 to 6.0.3.

Release notes

Sourced from actions/checkout's releases.

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@de0fac2...df4cb1c)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 10, 2026
Orrison added 4 commits June 11, 2026 23:34
… orchestra/testbench

Signed-off-by: Kevin Ullyott <ullyott.kevin@gmail.com>
…ions

Signed-off-by: Kevin Ullyott <ullyott.kevin@gmail.com>
Signed-off-by: Kevin Ullyott <ullyott.kevin@gmail.com>
Signed-off-by: Kevin Ullyott <ullyott.kevin@gmail.com>
@Orrison

Orrison commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator

Hey @inxilpro! I've made some significant changes here to fix CI that kept failing in this PR, so wanted to request your opinion and review.

I made the following changes:

Workflow (.github/workflows/phpunit.yml)

  • Dropped 11.* from the Laravel matrix
  • Added 8.5 to the PHP matrix

composer.json

  • illuminate/support: changed from ^11|^12|^13|dev-master|dev-main to ^12|^13
  • orchestra/testbench: changed from ^9.11|^10.0|^11.0|dev-master|dev-main to ^10.0|^11.0
  • minimum-stability: changed from dev to stable
  • Removed prefer-stable: true (redundant once minimum-stability is stable)

Removing dev-master|dev-main from the constraints and flipping minimum-stability to stable fixed the original failure. Laravel's dev-master branch has a branch alias of 13.0.x-dev, which made it match ^13. With minimum-stability: dev, composer kept dev-master in the candidate pool, and --prefer-lowest picked it because 13.0.x-dev sorts lower than the 13.0.0 stable release. That dev version had the new ensureDeprecationLoggerIsConfigured(Repository $config) signature, which orchestra/testbench v11.0.0 didn't implement, causing the fatal errors. Restricting to stable means composer now picks laravel/framework 13.0.0 stable, which testbench v11.0.0 was built against.

I also dropped Laravel 11 from the matrix and constraints to address a security advisory block by composer. Two advisories (PKSA-mdq4-51ck-6kdq for CRLF injection, PKSA-8qx3-n5y5-vvnd for file validation bypass) flag every current L11 release, and Laravel has not backported the CRLF fix to L11. Since L11 security support ended March 12, 2026, dropping it is cleaner than bypassing advisories in CI as these will never be backported due to the EOL of that version.

I also am adding PHP 8.5 coverage to the current PHP release since it is the current PHP stable version.


Let me know if you see anything wrong with these changes, or if you would prefer them in a different PR than fixing this dependabot update, I can do so if preferred.

Naturally, I think this would require a major version since it is a breaking change, dropping support for certain things.

@Orrison Orrison requested a review from inxilpro June 12, 2026 04:10
@dependabot @github

dependabot Bot commented on behalf of github Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

A newer version of actions/checkout exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant