chore(deps): update actions/checkout action to v4

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v3.6.0 -> v4.2.2

---

Release Notes

actions/checkout (actions/checkout)

v4.2.2

Compare Source

• url-helper.ts now leverages well-known environment variables by @​jww3 in https://github.com/actions/checkout/pull/1941
• Expand unit test coverage for isGhes by @​jww3 in https://github.com/actions/checkout/pull/1946

v4.2.1

Compare Source

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in https://github.com/actions/checkout/pull/1924

v4.2.0

Compare Source

• Add Ref and Commit outputs by @​lucacome in https://github.com/actions/checkout/pull/1180
• Dependency updates by @​dependabot- https://github.com/actions/checkout/pull/1777, https://github.com/actions/checkout/pull/1872

v4.1.7

Compare Source

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in https://github.com/actions/checkout/pull/1739
• Bump actions/checkout from 3 to 4 by @​dependabot in https://github.com/actions/checkout/pull/1697
• Check out other refs/* by commit by @​orhantoy in https://github.com/actions/checkout/pull/1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in https://github.com/actions/checkout/pull/1776

v4.1.6

Compare Source

• Check platform to set archive extension appropriately by @​cory-miller in https://github.com/actions/checkout/pull/1732

v4.1.5

Compare Source

What's Changed

• Update NPM dependencies by @​cory-miller in https://github.com/actions/checkout/pull/1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in https://github.com/actions/checkout/pull/1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in https://github.com/actions/checkout/pull/1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in https://github.com/actions/checkout/pull/1695
• README: Suggest user.email to be 41898282+github-actions[bot]@​users.noreply.github.com by @​cory-miller in https://github.com/actions/checkout/pull/1707

Full Changelog: actions/checkout@v4.1.4...v4.1.5

v4.1.4

Compare Source

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in https://github.com/actions/checkout/pull/1692
• Add dependabot config by @​cory-miller in https://github.com/actions/checkout/pull/1688
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in https://github.com/actions/checkout/pull/1693
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in https://github.com/actions/checkout/pull/1643

v4.1.3

Compare Source

What's Changed

• Update actions/checkout version in update-main-version.yml by @​jww3 in https://github.com/actions/checkout/pull/1650
• Check git version before attempting to disable sparse-checkout by @​jww3 in https://github.com/actions/checkout/pull/1656
• Add SSH user parameter by @​cory-miller in https://github.com/actions/checkout/pull/1685

Full Changelog: actions/checkout@v4.1.2...v4.1.3

v4.1.2

Compare Source

• Fix: Disable sparse checkout whenever sparse-checkout option is not present @​dscho in https://github.com/actions/checkout/pull/1598

v4.1.1

Compare Source

What's Changed

• Update CODEOWNERS to Launch team by @​joshmgross in https://github.com/actions/checkout/pull/1510
• Correct link to GitHub Docs by @​peterbe in https://github.com/actions/checkout/pull/1511
• Link to release page from what's new section by @​cory-miller in https://github.com/actions/checkout/pull/1514

New Contributors

• @​joshmgross made their first contribution in https://github.com/actions/checkout/pull/1510
• @​peterbe made their first contribution in https://github.com/actions/checkout/pull/1511

Full Changelog: actions/checkout@v4.1.0...v4.1.1

v4.1.0

Compare Source

• Add support for partial checkout filters

v4.0.0

Compare Source

• Support fetching without the --progress option
• Update to node20

---

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

[puLL-Merge] - actions/checkout@v3.6.0..v4.1.4

Description

This PR makes several changes to the actions/checkout repository, including:

• Updating the default Node version to 20.x
• Adding a new filter option to partially clone the repository
• Adding a new show-progress option to control fetch progress output
• Disabling sparse-checkout when not explicitly enabled
• Adding dependabot config for automated dependency updates
• Updating test workflows and adding a new test-ubuntu-git container image

The motivation for these changes appears to be:

• Keeping actions/checkout up-to-date with the latest Node.js runtime
• Providing more flexibility and control over the checkout process with new filter and show-progress options
• Ensuring proper behavior when sparse-checkout is not used
• Automating dependency management with dependabot
• Improving the robustness of the test suite

Changes

Changes

.github/dependabot.yml:

• Added new dependabot configuration for automated npm and GitHub Actions dependency updates

.github/workflows/check-dist.yml:

• Updated Node.js version from 16.x to 20.x

.github/workflows/test.yml:

• Updated actions/checkout version to v4.1.1 in some steps
• Added a new step to test the new filter option
• Added a new step to test disabling sparse-checkout in an existing checkout
• Updated the test-proxy job to use a new test-ubuntu-git container image

.github/workflows/update-main-version.yml:

• Added v4 as a new major version option
• Updated the actions/checkout version used in the workflow to v4.1.1

.github/workflows/update-test-ubuntu-git.yml:

• Added new workflow to build and publish the test-ubuntu-git container image

images/test-ubuntu-git.Dockerfile & images/test-ubuntu-git.md:

• Added a new Ubuntu-based container image with git pre-installed for testing

src/ & test/ folders:

• Updated code and tests to support the new filter and show-progress options
• Added logic to disable sparse-checkout when not explicitly enabled
• Bumped minimum required git version for sparse-checkout to 2.28

Security Hotspots

1. High risk: The new filter option allows partially cloning the repository, which could potentially allow leaking sensitive data if not properly validated. The implementation should ensure filter values are properly sanitized.

2. Medium risk: The bump to Node.js 20.x runtime could introduce new vulnerabilities. The code changes should be thoroughly reviewed and tested, especially around any new or changed dependencies.

3. Low risk: Allowing dependabot to automatically update dependencies could pull in vulnerable versions if not configured properly. The dependabot configuration should specify safe version ranges and be monitored closely.

Overall, this is a significant set of changes that touch many parts of the codebase. While the new features seem useful, care should be taken in reviewing and testing the security of the new filter option and Node.js 20.x upgrade prior to release. Setting up automated dependency scanning would also help mitigate risks from the dependabot updates.