Bump actions/checkout from 6.0.2 to 6.0.3#8
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
… orchestra/testbench Signed-off-by: Kevin Ullyott <ullyott.kevin@gmail.com>
…ions Signed-off-by: Kevin Ullyott <ullyott.kevin@gmail.com>
Signed-off-by: Kevin Ullyott <ullyott.kevin@gmail.com>
Signed-off-by: Kevin Ullyott <ullyott.kevin@gmail.com>
|
Hey @inxilpro! I've made some significant changes here to fix CI that kept failing in this PR, so wanted to request your opinion and review. I made the following changes: Workflow (.github/workflows/phpunit.yml)
composer.json
Removing dev-master|dev-main from the constraints and flipping minimum-stability to stable fixed the original failure. Laravel's dev-master branch has a branch alias of 13.0.x-dev, which made it match ^13. With minimum-stability: dev, composer kept dev-master in the candidate pool, and --prefer-lowest picked it because 13.0.x-dev sorts lower than the 13.0.0 stable release. That dev version had the new ensureDeprecationLoggerIsConfigured(Repository $config) signature, which orchestra/testbench v11.0.0 didn't implement, causing the fatal errors. Restricting to stable means composer now picks laravel/framework 13.0.0 stable, which testbench v11.0.0 was built against. I also dropped Laravel 11 from the matrix and constraints to address a security advisory block by composer. Two advisories (PKSA-mdq4-51ck-6kdq for CRLF injection, PKSA-8qx3-n5y5-vvnd for file validation bypass) flag every current L11 release, and Laravel has not backported the CRLF fix to L11. Since L11 security support ended March 12, 2026, dropping it is cleaner than bypassing advisories in CI as these will never be backported due to the EOL of that version. I also am adding PHP 8.5 coverage to the current PHP release since it is the current PHP stable version. Let me know if you see anything wrong with these changes, or if you would prefer them in a different PR than fixing this dependabot update, I can do so if preferred. Naturally, I think this would require a major version since it is a breaking change, dropping support for certain things. |
|
A newer version of actions/checkout exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged. |
Bumps actions/checkout from 6.0.2 to 6.0.3.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
df4cb1cUpdate changelog for v6.0.3 (#2446)1cce339Fix checkout init for SHA-256 repositories (#2439)900f221fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)0c366fdUpdate changelog (#2357)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)