Checkout Alternatives

checkout reviews and mentions

• Bypassing GitHub Actions policies in the dumbest way possible
  3 projects | news.ycombinator.com | 11 Jun 2025

  what with actions/checkout@v4, hows that documented?

  https://github.com/actions/checkout/issues/567#issuecomment-...

  GH has a `permissions:` entry and this mechanism already for internal repo action sharing. And thousands of our dollars per month.

• GitHub's checkout action is halting contributions
  1 project | news.ycombinator.com | 7 Jun 2025
• How to Harden GitHub Actions: The Unofficial Guide
  9 projects | news.ycombinator.com | 8 May 2025

  Here is an example in the wild: https://github.com/actions/checkout/actions/workflows/publis...

• Using Checkout Action in GitHub Actions Workflow
  5 projects | dev.to | 5 May 2025

  The snippet above creates a step called "Checkout repository", which uses the actions/checkout action. The @ character allows you to pin the version of the action - in this case, version v4. You can see previous and future versions in the checkout releases on GitHub.

• Popular GitHub Action tj-actions/changed-files is compromised
  35 projects | news.ycombinator.com | 14 Mar 2025

  I think a big part of the problem is the way one typically "installs" a GH action: by copy-pasting something from README of the action.

  Let's have a look at a random official GH provided action:

  https://github.com/actions/checkout

  It lists the following snippet:

  `uses: actions/checkout@v4`

  Everyone will just copy paste this snippet and call it a day.

  In case of npm/yarn deps, one would often do the same, and copy paste `yarn install foobar`, but then when installing, npm/yarn would create a lockfile and pin the version. Whereas there's no "installer" CLI for GH actions that would pin the version for you, you just copy-paste and git push.

  To make things better, ideally, the owners of actions would update the workflows which release a new version of the GH action, to make it update README snippet with the sha256 of the most recent release.

• Tj-actions/changed-files GitHub Action Compromised – used by over 23K repos
  15 projects | news.ycombinator.com | 14 Mar 2025

  It seems pretty awful that the de-facto way to use GitHub Actions is using git tags which are not immutable. For example to checkout code [1]:

  - uses: actions/checkout@v4

  Github does advise people to harden their actions by referring to git commit hashes [2] but Github currently only supports SHA-1 as hashing algorithm. Creating collisions with this hashing algo will be more and more affordable and I'm afraid that we will see attacks using the hash collisions during my lifetime.

  I wish that they will add support for SHA-256 soon and wrote product feedback regarding it here: https://github.com/orgs/community/discussions/154056

  If this resonates with you please go and give it a thumbs up :)

  [1]: https://github.com/actions/checkout?tab=readme-ov-file#usage

  [2]: https://docs.github.com/en/actions/security-for-github-actio...

• Asynchronous Server: Building and Rigorously Testing a WebSocket and HTTP Server
  2 projects | dev.to | 19 Feb 2025

  GitHub Actions uses .yaml or .yml files to define workflows, similar to docker-compose.yml. In this case, we're using the latest Ubuntu distribution as the environment. We use version 4 of the actions/checkout action to check out our repository. We also install system dependencies required by some of the Python packages, such as poppler-utils for pdf2image and tesseract-ocr and libtesseract-dev for pytesseract. Since our project doesn't have database interaction, we don't need a services section. The remaining steps are self-explanatory. We then execute our bash script to check the codebase against our defined standards. We also supply environment variables and run the tests (which we'll write later). This CI/CD pipeline runs on every pull request or push to the utility branch.

• How to Set Up Automated Tests with a QA Coding Agent for Flutter
  2 projects | dev.to | 14 Feb 2025

  GitAuto used v2, while v4 is the latest available according to the official GitHub Actions Checkout documentation. Another area for potential improvement.

• Tell HN: GitHub doesn't cleanup spam in their own repos
  1 project | news.ycombinator.com | 3 Jan 2025

  I was checking out the actions/checkout repository, which is something most GitHub actions are bound to use, and navigated to the issues:

  https://github.com/actions/checkout/issues

  On the first page aline I found cryptocurrency scams, no effort issues, and outright spam, from days to months old. It is an official GitHub repository for one of their most popular actions in a major feature, with hundreds of watchers and thousands of forks and stars. Yet it looks completely abandoned. No wonder the state of spam on GitHub.

• Lock Mechanism on GitHub Actions
  3 projects | dev.to | 14 Nov 2024

  Manage branches via GitHub API without git command. You don't have to checkout repositories by actions/checkout

• A note from our sponsor - Stream
  getstream.io | 11 Jul 2025

  Stream helps developers build engaging apps that scale to millions with performant and flexible Chat, Feeds, Moderation, and Video APIs and SDKs powered by a global edge network and enterprise-grade infrastructure. Learn more →