ci: revert actions/checkout to v5 due to update-flake-lock incompatibility

Root cause: DeterminateSystems/update-flake-lock@v27 uses peter-evans/create-pull-request@v6.0.5 internally, which is incompatible with actions/checkout@v6's new credential storage mechanism. The Problem Chain: - actions/checkout@v6 moved credentials from .git/config to $RUNNER_TEMP (security improvement) - peter-evans/create-pull-request@v6.0.5 cannot access credentials from the new $RUNNER_TEMP location - This causes exit code 128 when update-flake-lock tries to create PRs The Fix: - create-pull-request@v7.0.9 fixed v6 compatibility - However, update-flake-lock@v27 (released July 2025) hasn't upgraded yet - Reverting to v5 restores working credential access Next Steps: - Can upgrade to v6 once update-flake-lock uses create-pull-request@v7.0.9+ - https://github.com/DeterminateSystems/update-flake-lock/pull/224 - Dependabot configured to ignore v6 upgrades until compatibility is fixed Fixes: https://github.com/nix-community/home-manager/actions/runs/19712979574 See: https://github.com/peter-evans/create-pull-request/issues/690 Signed-off-by: Austin Horstman <khaneliman12@gmail.com>
2026-01-12 01:59:37 +08:00 · 2025-11-26 12:42:01 -06:00
parent 946907fa6a
commit 8220473f95
2 changed files with 14 additions and 1 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,6 +7,10 @@ updates:
      interval: "weekly"
    commit-message:
      prefix: "ci:"
+    ignore:
+      # Ignore v6 until update-flake-lock upgrades to create-pull-request@v7.0.9+
+      - dependency-name: "actions/checkout"
+        update-types: ["version-update:semver-major"]

  - package-ecosystem: "github-actions"
    directory: "/"
@@ -15,3 +19,7 @@ updates:
      interval: "weekly"
    commit-message:
      prefix: "ci:"
+    ignore:
+      # Ignore v6 until update-flake-lock upgrades to create-pull-request@v7.0.9+
+      - dependency-name: "actions/checkout"
+        update-types: ["version-update:semver-major"]
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -35,7 +35,12 @@ jobs:
            echo "email=$id+$name@users.noreply.github.com"
          } >> "$GITHUB_OUTPUT"
      - name: Checkout repository
-        uses: actions/checkout@v6
+        # NOTE: v6 is incompatible with update-flake-lock@v27 due to credential
+        # storage changes. update-flake-lock uses peter-evans/create-pull-request@v6.0.5
+        # which doesn't work with v6's $RUNNER_TEMP credential storage.
+        # Can upgrade to v6 once update-flake-lock uses create-pull-request@v7.0.9+
+        # See: https://github.com/peter-evans/create-pull-request/issues/690
+        uses: actions/checkout@v5
        with:
          ref: ${{ matrix.branch }}
          token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}