Skip to content

Build(deps): Bump actions/checkout from 4 to 6#3

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-6
Closed

Build(deps): Bump actions/checkout from 4 to 6#3
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 31, 2026

Copy link
Copy Markdown

Bumps actions/checkout from 4 to 6.

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 31, 2026
systemslibrarian added a commit that referenced this pull request May 31, 2026
Lands recommendation items #2 (samples) and #3 (deployment guide) from the
adoption analysis in chat.md, and captures the operational blueprint for items
#1, #4, #5, #6 (Azure KMS, AWS KMS, external review, 1.0 cut) in future.md
rather than scaffolding cloud crypto code that cannot be honestly tested in a
single session.

samples/WorkerService.Sample
- LivenessWorker mints a content key every 10 seconds, encrypts a probe
  payload, then unwraps and decrypts it. Logs round-trip latency + the active
  KEK id so an ops dashboard can scrape both. A failure here is the early
  warning that something is wrong with the provider, the keyring, or the
  host's entropy.
- RotationWorker rotates the active KEK on a configurable interval and
  persists the multi-KEK ring through the registered IKeyringStore on every
  rotation. Default 2 minutes; Development environment overrides to 30
  seconds so the demo is visible at human speed.
- README explains the production adaptation points (real secret-manager
  passphrase source, cadence, health-check integration, keyring backup).

samples/EfCore.Sample
- SQLite + EF Core console app showing per-row envelope encryption. A
  SecureNote entity carries Ciphertext + Nonce + Tag + WrappedKey (encoded
  via WrappedContentKey.Encode) as separate columns; SecureNotesRepository
  does the async wrap/unwrap at the persistence boundary.
- Demo run: insert encrypted, read back through the repo, dump the raw row
  to prove only ciphertext is on disk, rotate the KEK, re-read the same row
  to prove the row's wrapped key still references the original KEK and
  decrypts without re-encryption.
- README documents why explicit columns + async repository beats EF Core
  ValueConverter (async support + lazy migration without re-encrypting every
  row on rotation).

docs/deployment.md
- Production operational guide. Opens with "the four things you absolutely
  must get right": passphrase only in your secret manager, keyring backups,
  automated rotation, tested restore procedure.
- Covers: passphrase storage (and where NOT to store it); keyring metadata
  durability + the realities of a single-file FileKeyringStore vs. cloud
  object stores; Argon2id preset selection by frequency-of-derivation rather
  than "how secure each preset feels"; what to log (KEK ids, rotation
  timestamps, liveness duration) and what to NEVER log (passphrases, DEK
  bytes); multi-instance deployments (shared keyring vs. dedicated rotator,
  and what does NOT work — shared passphrase without shared salt, two
  hosts both rotating); container + Kubernetes notes; the disaster-recovery
  matrix down to the irrecoverable "lost keyring AND passphrases" case.

future.md
- Concrete blueprint for items #1, #4, #5, #6:
  - Azure Key Vault provider: az provisioning script (RG, RBAC vault,
    RSA-3072 KEK, role assignment, purge protection), provider skeleton
    pinned to versioned key URIs, integration-test project layout using
    Xunit.SkippableFact so missing env vars skip rather than fail, and a
    GitHub Actions OIDC workflow.
  - AWS KMS provider: same shape with AWSSDK.KeyManagementService,
    aws kms create-key + alias, aws-actions/configure-aws-credentials OIDC,
    note that KMS Encrypt/Decrypt is already authenticated so Ciphertext
    just holds the AWS blob as-is.
  - External cryptographic review: two realistic engagement paths (named
    consultant at $15-50k for ~2-4 weeks vs. community/academic, slower but
    cheaper), exactly what to hand the reviewer (commit hash, threat model,
    KNOWN-GAPS, scope letter), and what to do with the report (publish it).
  - Cutting 1.0: explicit checklist (cloud providers shipped + in real use,
    audit done, formats stable for 2+ minors, named production deployment),
    and what 1.0 obligates the maintainer to (no breaking changes without a
    2.0, backport policy, deprecation cycles).
- Closes with sequencing: don't reorder; each step's value depends on the
  previous one being done.

Plumbing
- PostQuantum.KeyManagement.slnx references the two new sample projects.
- README links to docs/deployment.md and future.md from the security section
  and the samples table now lists all three samples + what each demonstrates.
- CHANGELOG updated under 0.3.0-preview.1.

Build: full solution 0 warnings, 0 errors on net8/9/10. 42 core tests + 11 DI
tests = 53 tests, all green. Both new samples build clean; EfCore.Sample was
smoke-tested end-to-end including a rotation.

To God be the glory - 1 Corinthians 10:31

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
systemslibrarian added a commit that referenced this pull request May 31, 2026
Lifts the 0.3 hardened core into a production-shaped preview by adding API
refinements, expanded test coverage, polished documentation, and stronger
NuGet metadata. Cloud KMS providers, external review, and 1.0 remain mapped
out in future.md.

API refinements (additive only)
- WrappedContentKey.TryDecode(string? token, out WrappedContentKey? result)
  for exception-free parsing of untrusted input. The throwing Decode remains
  for programmer-error scenarios.
- LocalKeyringMetadata.TryDecode(...) — same pattern for keyring tokens.
- LocalContentKeyProvider now rejects empty passphrases with a clear
  ArgumentException at the library boundary, before any cryptographic work
  runs. Eliminates a confusing inner exception from Argon2id.
- AddPostQuantumKeyManagement is now idempotent: switched the singleton
  registrations to TryAddSingleton so calling it twice does not
  double-register.

Test expansion (53 -> 74 tests)
- TryDecodeTests: positive and negative cases for both TryDecode overloads.
- PassphraseEdgeCaseTests: 8 KiB passphrases, Unicode passphrases (BMP, RTL,
  emoji, CJK), keyring export/import round-trips with Unicode passphrases,
  and the empty-passphrase rejection on Create and Rotate.
- AdvancedRotationTests: 25 rapid rotations with every probe still
  unwrappable, ExportMetadata reflecting the new active KEK, two-hop rewrap
  preserving content-key bytes, and mid-lifecycle Import preserving the
  active KEK.
- IdempotencyAndConfigurationTests (DI package): double-registration is now
  safe, IConfiguration binding works, relative KeyringPath resolves.

Documentation
- README rewritten to lead with concrete value, a 60-second demo across all
  three samples, a TryDecode usage snippet, a PostQuantum.FileEncryption
  integration sketch, a local-vs-cloud KMS comparison table, and a TOC of
  every supporting doc.
- SECURITY.md enumerates the protections the library now actually delivers
  (verifier, hostile-input resistance, boundary validation, concurrent
  safety) and cross-links to the threat model, deployment guide, and
  future.md.
- KNOWN-GAPS.md reflects 0.4 state: gaps #3 (keyring persistence) and #7
  (threading) marked closed with version anchors; the 0.4 roadmap line lists
  the DI package, samples, docs, TryDecode, and boundary validation.

Packaging and release prep
- Version bumped to 0.4.0-preview.1 on both packages (core + DI extensions).
- Core declares IsAotCompatible=true. Builds clean under the AOT/trim
  analyzer on net8/9/10.
- NuGet metadata elevated on both packages: stronger Title, Description,
  PackageTags (added hsm, ihealthcheck, hosting), and detailed
  PackageReleaseNotes covering everything new in 0.4. SourceLink +
  deterministic builds + symbol packages preserved.
- CHANGELOG.md has a complete 0.4 entry under Keep-a-Changelog conventions.

Verification
- Full solution: 0 warnings, 0 errors on net8.0/net9.0/net10.0.
- 60 core tests + 14 DI tests = 74 tests, all passing.
- dotnet pack on both packages produces .nupkg + .snupkg at v0.4.0-preview.1.

To God be the glory - 1 Corinthians 10:31

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@dependabot @github

dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Author

Superseded by #9.

@dependabot dependabot Bot closed this Jul 1, 2026
@dependabot
dependabot Bot deleted the dependabot/github_actions/actions/checkout-6 branch July 1, 2026 08:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants