From 84515bd2ea0c5d7189fe27d634778234b14dbb3d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 28 May 2026 04:28:00 +0000
Subject: [PATCH 1/2] build(deps): bump actions/checkout from 5.0.1 to 6.0.2

Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/93cb6efe18208431cddfb8368fd83d5badbf9bfd...de0fac2e4500dabe0009e67214ff5f5447ce83dd)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/ci.yml      | 8 ++++----
 .github/workflows/release.yml | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 76db5b7..694a0d4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -37,7 +37,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
@@ -61,7 +61,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
@@ -85,7 +85,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
@@ -122,7 +122,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a293ceb..9e534bc 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -119,7 +119,7 @@ jobs:
 
     steps:
       - name: Check out release tag
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ env.RELEASE_TAG }}
           fetch-depth: 0
@@ -163,7 +163,7 @@ jobs:
 
     steps:
       - name: Check out release tag
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ env.RELEASE_TAG }}
           fetch-depth: 0

From fdb402946636c4acc6929ea9535d5f7f8dbd0bef Mon Sep 17 00:00:00 2001
From: rabii-chaarani <rabii.chaarani@monash.edu>
Date: Thu, 28 May 2026 14:29:45 +0930
Subject: [PATCH 2/2] fix(ci): accept checkout v6 pin

Dependabot updated actions/checkout to the pinned v6.0.2 commit in both workflow files, but the workflow policy test still required the old v5.0.1 commit. Update the regression test so the dependency bump can pass while still rejecting the previous checkout pin.

Constraint: Workflows intentionally pin GitHub Actions by immutable commit SHA
Rejected: Loosen the test to only check action names | would weaken the supply-chain pinning policy
Confidence: high
Scope-risk: narrow
Directive: Update this test whenever Dependabot intentionally changes the pinned checkout SHA
Tested: .venv/bin/python -m pytest tests/test_release_workflows.py -q
Tested: .venv/bin/ruff check tests/test_release_workflows.py
Tested: .venv/bin/python scripts/check_release_gate.py
Tested: .venv/bin/python -m pytest -q
Not-tested: Remote CI rerun after pushing the PR branch
---
 tests/test_release_workflows.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/test_release_workflows.py b/tests/test_release_workflows.py
index 7217620..5bb7e59 100644
--- a/tests/test_release_workflows.py
+++ b/tests/test_release_workflows.py
@@ -146,8 +146,9 @@ def test_workflows_pin_node24_capable_first_party_actions() -> None:
     for path in WORKFLOWS:
         text = path.read_text(encoding="utf-8")
 
-        assert "actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd" in text
+        assert "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" in text
         assert "actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405" in text
+        assert "actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd" not in text
         assert "actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" not in text
         assert "actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065" not in text