Update actions/checkout action to v5

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v4 -> v5

---

Release Notes

actions/checkout (actions/checkout)

v5

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
⚠️ ACTION	actionlint	4		3	0	0.31s
✅ COPYPASTE	jscpd	yes		no	no	2.13s
⚠️ DOCKERFILE	hadolint	2		1	0	0.32s
✅ JSON	jsonlint	3		0	0	0.16s
✅ JSON	prettier	3	0	0	0	0.49s
✅ JSON	v8r	3		0	0	3.32s
⚠️ MARKDOWN	markdownlint	12	0	18	0	1.14s
✅ MARKDOWN	markdown-table-formatter	12	1	0	0	0.22s
✅ PYTHON	bandit	6		0	0	0.85s
✅ PYTHON	black	6	0	0	0	0.78s
✅ PYTHON	flake8	6		0	0	0.46s
✅ PYTHON	isort	6	0	0	0	0.17s
⚠️ PYTHON	mypy	6		4	0	5.56s
✅ PYTHON	pylint	6		0	0	5.2s
⚠️ PYTHON	pyright	6		6	0	1.91s
✅ PYTHON	ruff	6	0	0	0	0.02s
✅ REPOSITORY	checkov	yes		no	no	13.14s
✅ REPOSITORY	gitleaks	yes		no	no	5.56s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
⚠️ REPOSITORY	grype	yes		18	no	23.93s
✅ REPOSITORY	secretlint	yes		no	no	0.51s
✅ REPOSITORY	syft	yes		no	no	1.12s
❌ REPOSITORY	trivy	yes		1	no	6.92s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.49s
✅ REPOSITORY	trufflehog	yes		no	no	2.84s
✅ SPELL	cspell	47		0	0	4.24s
✅ SPELL	lychee	29		0	0	1.77s
✅ YAML	prettier	14	0	0	0	0.82s
✅ YAML	v8r	14		0	0	5.62s
✅ YAML	yamllint	14		0	0	0.66s

Detailed Issues

❌ REPOSITORY / trivy - 1 error

2025-09-09T13:14:48Z	INFO	[vulndb] Need to update DB
2025-09-09T13:14:48Z	INFO	[vulndb] Downloading vulnerability DB...
2025-09-09T13:14:48Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
26.62 MiB / 70.12 MiB [----------------------->_____________________________________] 37.97% ? p/s ?61.80 MiB / 70.12 MiB [----------------------------------------------------->_______] 88.13% ? p/s ?70.12 MiB / 70.12 MiB [----------------------------------------------------------->] 100.00% ? p/s ?70.12 MiB / 70.12 MiB [---------------------------------------------->] 100.00% 72.43 MiB p/s ETA 0s70.12 MiB / 70.12 MiB [---------------------------------------------->] 100.00% 72.43 MiB p/s ETA 0s70.12 MiB / 70.12 MiB [---------------------------------------------->] 100.00% 72.43 MiB p/s ETA 0s70.12 MiB / 70.12 MiB [---------------------------------------------->] 100.00% 67.76 MiB p/s ETA 0s70.12 MiB / 70.12 MiB [---------------------------------------------->] 100.00% 67.76 MiB p/s ETA 0s70.12 MiB / 70.12 MiB [---------------------------------------------->] 100.00% 67.76 MiB p/s ETA 0s70.12 MiB / 70.12 MiB [---------------------------------------------->] 100.00% 63.39 MiB p/s ETA 0s70.12 MiB / 70.12 MiB [---------------------------------------------->] 100.00% 63.39 MiB p/s ETA 0s70.12 MiB / 70.12 MiB [---------------------------------------------->] 100.00% 63.39 MiB p/s ETA 0s70.12 MiB / 70.12 MiB [-------------------------------------------------] 100.00% 29.98 MiB p/s 2.5s2025-09-09T13:14:52Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-09-09T13:14:52Z	INFO	[vuln] Vulnerability scanning is enabled
2025-09-09T13:14:52Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-09-09T13:14:52Z	INFO	[misconfig] Need to update the checks bundle
2025-09-09T13:14:52Z	INFO	[misconfig] Downloading the checks bundle...
165.20 KiB / 165.20 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-09-09T13:14:54Z	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2025-09-09T13:14:54Z	INFO	Number of language-specific files	num=2
2025-09-09T13:14:54Z	INFO	[pip] Detecting vulnerabilities...
2025-09-09T13:14:54Z	INFO	[poetry] Detecting vulnerabilities...
2025-09-09T13:14:54Z	INFO	Detected config files	num=2

Report Summary

┌───────────────────┬────────────┬─────────────────┬───────────────────┐
│      Target       │    Type    │ Vulnerabilities │ Misconfigurations │
├───────────────────┼────────────┼─────────────────┼───────────────────┤
│ poetry.lock       │   poetry   │        7        │         -         │
├───────────────────┼────────────┼─────────────────┼───────────────────┤
│ requirements.txt  │    pip     │        0        │         -         │
├───────────────────┼────────────┼─────────────────┼───────────────────┤
│ Dockerfile        │ dockerfile │        -        │         1         │
├───────────────────┼────────────┼─────────────────┼───────────────────┤
│ docker/Dockerfile │ dockerfile │        -        │         0         │
└───────────────────┴────────────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/v0.66/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


poetry.lock (poetry)
====================
Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 0, CRITICAL: 0)

┌──────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                             │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ certifi  │ CVE-2024-39689 │ LOW      │ fixed  │ 2024.2.2          │ 2024.7.4       │ python-certifi: Remove root certificates from `GLOBALTRUST`  │
│          │                │          │        │                   │                │ from the root store                                          │
│          │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-39689                   │
├──────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ idna     │ CVE-2024-3651  │ MEDIUM   │        │ 3.6               │ 3.7            │ python-idna: potential DoS via resource consumption via      │
│          │                │          │        │                   │                │ specially crafted inputs to idna.encode()...                 │
│          │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-3651                    │
├──────────┼────────────────┤          │        ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ requests │ CVE-2024-35195 │          │        │ 2.31.0

(Truncated to 5714 characters out of 9220)

⚠️ ACTION / actionlint - 3 errors

.github/workflows/github-dependents-info.yml:52:9: shellcheck reported issue in this script: SC2086:info:1:15: Double quote to prevent globbing and word splitting [shellcheck]
   |
52 |         run: sudo chown -R $USER:$USER .
   |         ^~~~
.github/workflows/github-dependents-info.yml:52:9: shellcheck reported issue in this script: SC2086:info:1:21: Double quote to prevent globbing and word splitting [shellcheck]
   |
52 |         run: sudo chown -R $USER:$USER .
   |         ^~~~
.github/workflows/release.yml:63:9: shellcheck reported issue in this script: SC2086:info:1:55: Double quote to prevent globbing and word splitting [shellcheck]
   |
63 |         run: echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> ${GITHUB_ENV}
   |         ^~~~

⚠️ REPOSITORY / grype - 18 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME          INSTALLED  FIXED IN  TYPE    VULNERABILITY        SEVERITY  EPSS           RISK   
setuptools    69.1.1     70.0.0    python  GHSA-cx63-2mw6-8hw5  High      10.1% (92nd)   8.2    
certifi       2024.2.2   2024.7.4  python  GHSA-248v-346w-9cwc  Low       21.2% (95th)   6.4    
virtualenv    20.25.1    20.26.6   python  GHSA-rqc4-2hc7-8c8v  High      1.0% (76th)    0.8    
idna          3.6        3.7       python  GHSA-jjg7-2v4v-x38h  Medium    0.3% (55th)    0.2    
setuptools    69.1.1     78.1.1    python  GHSA-5rjg-fvgr-3xxf  High      0.1% (34th)    0.1    
jinja2        3.1.3      3.1.4     python  GHSA-h75v-3vvj-5mfj  Medium    0.2% (41st)    0.1    
authlib       1.3.0      1.3.1     python  GHSA-5357-c2jx-v7qh  High      0.1% (34th)    0.1    
cryptography  42.0.5     44.0.1    python  GHSA-79v4-65xg-pq4g  Low       0.3% (49th)    < 0.1  
urllib3       2.2.1      2.2.2     python  GHSA-34jh-p97f-mpxf  Medium    0.1% (34th)    < 0.1  
black         24.2.0     24.3.0    python  GHSA-fj7x-q9j7-g6q6  Medium    < 0.1% (18th)  < 0.1  
jinja2        3.1.3      3.1.6     python  GHSA-cpwx-vrp4-4pq7  Medium    < 0.1% (18th)  < 0.1  
jinja2        3.1.3      3.1.5     python  GHSA-q2x7-8rv6-6q7h  Medium    < 0.1% (13th)  < 0.1  
requests      2.31.0     2.32.0    python  GHSA-9wx4-h78v-vm56  Medium    < 0.1% (7th)   < 0.1  
jinja2        3.1.3      3.1.5     python  GHSA-gmj6-6f8f-6699  Medium    < 0.1% (4th)   < 0.1  
requests      2.31.0     2.32.4    python  GHSA-9hjg-9r4m-mvj7  Medium    < 0.1% (6th)   < 0.1  
urllib3       2.2.1      2.5.0     python  GHSA-pq67-6m6q-mj2v  Medium    < 0.1% (2nd)   < 0.1  
urllib3       2.2.1      2.5.0     python  GHSA-48p4-8xcf-vxj5  Medium    < 0.1% (1st)   < 0.1  
cryptography  42.0.5     43.0.1    python  GHSA-h4gh-qq45-vh27  Medium    N/A            N/A
[0023] ERROR discovered vulnerabilities at or above the severity threshold

⚠️ DOCKERFILE / hadolint - 1 error

Dockerfile:6 DL3013 warning: Pin versions in pip. Instead of `pip install <package>` use `pip install <package>==<version>` or `pip install --requirement <requirements file>`
docker/Dockerfile:7 DL3008 warning: Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
docker/Dockerfile:12 DL3045 warning: `COPY` to a relative destination without `WORKDIR` set.
docker/Dockerfile:15 DL3003 warning: Use WORKDIR to switch to a directory
docker/Dockerfile:15 DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
docker/Dockerfile:15 SC2226 warning: This ln has no destination. Check the arguments, or specify '.' explicitly.
docker/Dockerfile:24 DL3025 warning: Use arguments JSON notation for CMD and ENTRYPOINT arguments

⚠️ MARKDOWN / markdownlint - 18 errors

.github/PULL_REQUEST_TEMPLATE.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## Description"]
README.md:45:2 MD045/no-alt-text Images should have alternate text (alt text)
README.md:46:2 MD045/no-alt-text Images should have alternate text (alt text)
README.md:47:2 MD045/no-alt-text Images should have alternate text (alt text)
README.md:48:2 MD045/no-alt-text Images should have alternate text (alt text)
README.md:212:3 MD051/link-fragments Link fragments should be valid [Context: "[Installation](#⚙️-installation)"]
README.md:213:3 MD051/link-fragments Link fragments should be valid [Context: "[Usage](#🛠️-usage)"]
README.md:214:3 MD051/link-fragments Link fragments should be valid [Context: "[Examples](#🧪-examples)"]
README.md:240:185 MD055/table-pipe-style Table pipe style [Expected: leading_and_trailing; Actual: leading_only; Missing trailing pipe]
README.md:241:1 MD055/table-pipe-style Table pipe style [Expected: leading_and_trailing; Actual: trailing_only; Missing leading pipe]
README.md:241:271 MD056/table-column-count Table column count [Expected: 3; Actual: 1; Too few cells, row will be missing data]
README.md:256 MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:260 MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:265 MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:269 MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:273 MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:277 MD046/code-block-style Code block style [Expected: fenced; Actual: indented]
README.md:281 MD046/code-block-style Code block style [Expected: fenced; Actual: indented]

⚠️ PYTHON / mypy - 4 errors

Collecting types-requests
  Downloading types_requests-2.32.4.20250809-py3-none-any.whl.metadata (2.0 kB)
Collecting urllib3>=2 (from types-requests)
  Downloading urllib3-2.5.0-py3-none-any.whl.metadata (6.5 kB)
Downloading types_requests-2.32.4.20250809-py3-none-any.whl (20 kB)
Downloading urllib3-2.5.0-py3-none-any.whl (129 kB)
Installing collected packages: urllib3, types-requests

   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2/2 [types-requests]

Successfully installed types-requests-2.32.4.20250809 urllib3-2.5.0
github_dependents_info/gh_dependents_info.py:43: error: Need type annotation for "packages" (hint: "packages: list[<type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:44: error: Need type annotation for "all_public_dependent_repos" (hint: "all_public_dependent_repos: list[<type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:45: error: Need type annotation for "badges" (hint: "badges: dict[<type>, <type>] = ...")  [var-annotated]
github_dependents_info/gh_dependents_info.py:46: error: Need type annotation for "result" (hint: "result: dict[<type>, <type>] = ...")  [var-annotated]
Installing missing stub packages:
/venvs/mypy/bin/python3 -m pip install types-requests


Found 4 errors in 1 file (checked 6 source files)

⚠️ PYTHON / pyright - 6 errors

github_dependents_info/__main__.py
  github_dependents_info/__main__.py:3:8 - error: Import "typer" could not be resolved (reportMissingImports)
  github_dependents_info/__main__.py:6:6 - error: Import "rich.console" could not be resolved (reportMissingImports)
github_dependents_info/gh_dependents_info.py
  github_dependents_info/gh_dependents_info.py:8:8 - error: Import "pandas" could not be resolved (reportMissingImports)
  github_dependents_info/gh_dependents_info.py:10:6 - error: Import "bs4" could not be resolved (reportMissingImports)
  github_dependents_info/gh_dependents_info.py:12:6 - error: Import "requests.packages.urllib3.util.retry" could not be resolved (reportMissingImports)
  github_dependents_info/gh_dependents_info.py:144:49 - error: "total_public_stars" is possibly unbound (reportPossiblyUnboundVariable)
6 errors, 0 warnings, 0 informations

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@beta --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_CSPELL,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R