Bump actions/checkout from 4 to 5

[shenxianpeng]

Not sure why #304 also does not work as expected to bump actions/checkout from 4 to 5 automaticlly

Maybe we should bump it manually and include README.md

Summary by CodeRabbit

• Chores
  • Upgraded GitHub Actions checkout step to v5 across example workflows for improved compatibility and security.
• Documentation
  • Updated README examples to reference checkout v5, ensuring instructions match the latest workflow configuration.

[2bndy5]

It seems dependabot does not look for workflows recursively. Its a shame that we have to do this manually and dependabot is oddly configured for the github_actions ecosystem.

[coderabbitai]

Walkthrough

Updated actions/checkout from v4 to v5 in three example GitHub Actions workflows and aligned the README snippet accordingly. No other workflow logic or code was changed.

Changes

Cohort / File(s)	Summary of Changes
Workflow examples .github/workflows/examples/only-PR-comments.yml, .github/workflows/examples/only-clang-format.yml, .github/workflows/examples/only-clang-tidy.yml	Bumped actions/checkout from v4 to v5 in cpp-linter workflows.
Documentation README.md	Updated YAML example to use actions/checkout@v5.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/bump-checkout-action

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

.github/workflows/examples/only-clang-tidy.yml (1)

14-14: Optional: Consider pinning the action for supply-chain hardening

If your policy prefers immutable refs, pin to a specific tag (e.g., v5.x.y) or commit SHA instead of the floating major tag.

.github/workflows/examples/only-clang-format.yml (1)

14-14: Optional: Pin to a stable tag or commit SHA

Using an immutable ref (v5.x.y or a commit SHA) can reduce supply-chain risk in examples.

.github/workflows/examples/only-PR-comments.yml (1)

16-16: Optional: Pin the action version

Consider pinning to v5.x.y or a commit SHA for reproducibility.

README.md (1)

53-53: Optional: Encourage readers to pin versions in CI snippets

For best practices in security/reproducibility, consider showing a pinned tag (v5.x.y) or commit SHA in the snippet.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 483a97b and bc5a596.

📒 Files selected for processing (4)

• .github/workflows/examples/only-PR-comments.yml (1 hunks)
• .github/workflows/examples/only-clang-format.yml (1 hunks)
• .github/workflows/examples/only-clang-tidy.yml (1 hunks)
• README.md (1 hunks)

🔇 Additional comments (8)

.github/workflows/examples/only-clang-tidy.yml (2)

14-14: LGTM: checkout bumped to v5 as intended

The upgrade is scoped and safe; no other workflow logic changed.

---

14-14: All actions/checkout references updated to @v5

No occurrences of actions/checkout@v4 remain—every workflow and doc now uses actions/checkout@v5:

• README.md:53
• .github/workflows/cpp-linter.yml:16
• .github/workflows/self-test.yml:39
• .github/workflows/release.yml:22
• .github/workflows/examples/only-clang-format.yml:14
• .github/workflows/examples/only-PR-comments.yml:16
• .github/workflows/examples/only-clang-tidy.yml:14

No further updates needed.

.github/workflows/examples/only-clang-format.yml (2)

14-14: LGTM: updated to actions/checkout@v5

Change is minimal and aligned with the PR objective.

---

14-14: All workflows reference actions/checkout@v5
I ran a repository-wide search and confirmed every workflow using actions/checkout is on @v5; no @v4 references remain.

.github/workflows/examples/only-PR-comments.yml (2)

16-16: LGTM: checkout moved to v5; permissions already constrained

The job already scopes permissions (pull-requests: write). No other adjustments needed for the bump.

---

16-16: No remaining actions/checkout@v4 references

Scanned all YAML and Markdown files in the repo and confirmed there are no lingering actions/checkout@v4 usages. Everything is correctly updated to @v5.

README.md (2)

53-53: LGTM: documentation snippet now uses actions/checkout@v5

Docs match the updated example workflows.

---

53-53: All documentation references have been updated to v5

I’ve searched README.md, the docs/ folder, and all .md files for actions/checkout@v4 and found no remaining occurrences.