From fd7537bcf16fda9fbbc776be05889dd30e8046e1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 4 Jun 2026 23:13:19 +0000
Subject: [PATCH 1/2] build(deps): bump actions/checkout from 6.0.2 to 6.0.3

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/de0fac2e4500dabe0009e67214ff5f5447ce83dd...df4cb1c069e1874edd31b4311f1884172cec0e10)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/ci.yml      | 8 ++++----
 .github/workflows/release.yml | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 694a0d4..dcc5890 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -37,7 +37,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
 
@@ -61,7 +61,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
 
@@ -85,7 +85,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
 
@@ -122,7 +122,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 62c8ed0..6c4327b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -124,7 +124,7 @@ jobs:
 
     steps:
       - name: Check out release tag
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ env.RELEASE_TAG }}
           fetch-depth: 0
@@ -168,7 +168,7 @@ jobs:
 
     steps:
       - name: Check out release tag
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ env.RELEASE_TAG }}
           fetch-depth: 0
@@ -327,7 +327,7 @@ jobs:
           PY
 
       - name: Check out release tag
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ env.RELEASE_TAG }}
           fetch-depth: 0

From 139cecca36f4f997ebe5698604cf820a3edf412c Mon Sep 17 00:00:00 2001
From: rabii-chaarani <rabii.chaarani@monash.edu>
Date: Tue, 9 Jun 2026 12:09:17 +0930
Subject: [PATCH 2/2] test: accept checkout 6.0.3 workflow pin

The Dependabot PR updates every workflow checkout pin to the v6.0.3 commit, but the release workflow regression test still required the previous v6.0.2 SHA. Aligning the test keeps the pinning guard intact while allowing the dependency bump to pass CI.

Constraint: PR #9 changes only pinned GitHub Actions workflow references

Rejected: Loosen the assertion to any checkout v6 SHA | would weaken the exact-pin supply-chain guard

Confidence: high

Scope-risk: narrow

Tested: /Users/rabii/Projects/Repositories/codebaseGraph/.venv/bin/python -m pytest tests/test_release_workflows.py -q

Not-tested: Full local suite is blocked by reused venv console script reporting MCP server version 0.1.dev29 and emitting JSON-lines instead of framed stdio
---
 tests/test_release_workflows.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/test_release_workflows.py b/tests/test_release_workflows.py
index b9ed19a..d14b98e 100644
--- a/tests/test_release_workflows.py
+++ b/tests/test_release_workflows.py
@@ -171,7 +171,7 @@ def test_workflows_pin_node24_capable_first_party_actions() -> None:
     for path in WORKFLOWS:
         text = path.read_text(encoding="utf-8")
 
-        assert "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" in text
+        assert "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" in text
         assert "actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405" in text
         assert "actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd" not in text
         assert "actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" not in text