Bump actions/checkout from 4 to 5

[dependabot]

Bumps actions/checkout from 4 to 5.

Release notes

Sourced from actions/checkout's releases.

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236
• Prepare release v4.3.0 by @​salmanmkc in actions/checkout#2237

New Contributors

• @​motss made their first contribution in actions/checkout#1971
• @​mouismail made their first contribution in actions/checkout#1977
• @​benwells made their first contribution in actions/checkout#2043
• @​nebuk89 made their first contribution in actions/checkout#2194
• @​salmanmkc made their first contribution in actions/checkout#2236

Full Changelog: actions/checkout@v4...v4.3.0

v4.2.2

What's Changed

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

Full Changelog: actions/checkout@v4.2.1...v4.2.2

v4.2.1

What's Changed

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

New Contributors

• @​Jcambass made their first contribution in actions/checkout#1919

Full Changelog: actions/checkout@v4.2.0...v4.2.1

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

V5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

V4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

v4.1.5

• Update NPM dependencies by @​cory-miller in actions/checkout#1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in actions/checkout#1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in actions/checkout#1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in actions/checkout#1695
• README: Suggest user.email to be 41898282+github-actions[bot]@users.noreply.github.com by @​cory-miller in actions/checkout#1707

v4.1.4

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in actions/checkout#1692
• Add dependabot config by @​cory-miller in actions/checkout#1688
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in actions/checkout#1693
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in actions/checkout#1643

v4.1.3

... (truncated)

Commits

• 08c6903 Prepare v5.0.0 release (#2238)
• 9f26565 Update actions checkout to use node 24 (#2226)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[solardiz]

I wonder why we got this PR at all - I think we didn't opt in to these, did we?

More importantly, we got this failure in the asan job here:

https://github.com/openwall/john/actions/runs/18160361140/job/51689571786?pr=5857

make[1]: Leaving directory '/home/runner/work/john/john/src'
../run/john --test=0 --verbosity=2 --format=cpu
Will run 2 OpenMP threads
Testing: descrypt, traditional crypt(3) [DES 512/512 AVX512F]... (2xOMP) PASS
Testing: bsdicrypt, BSDI crypt(3) ("_J9..", 725 iterations) [DES 512/512 AVX512F]... (2xOMP) PASS
Testing: md5crypt, crypt(3) $1$ (and variants) [MD5 512/512 AVX-512 16x3]... (2xOMP) PASS
Testing: md5crypt-long, crypt(3) $1$ (and variants) [MD5 32/64]... (2xOMP) PASS
Testing: bcrypt ("$2a$05", 32 iterations) [Blowfish 32/64 X3]... (2xOMP) PASS
Testing: scrypt (16384, 8, 1) [Salsa20/8 128/128 AVX512VL]... (2xOMP) PASS
Testing: LM [DES 512/512 AVX512F]... (2xOMP) PASS
Testing: AFS, Kerberos AFS [DES 48/64 4K]... PASS
Testing: tripcode [DES 512/512 AVX512F]... (2xOMP) PASS
Testing: AndroidBackup [PBKDF2-SHA1 512/512 AVX-512 16x AES]... (2xOMP) PASS
Testing: adxcrypt, IBM/Toshiba 4690 [ADXCRYPT 32/64]... (2xOMP) PASS
Testing: agilekeychain, 1Password Agile Keychain [PBKDF2-SHA1 AES 512/512 AVX-512 16x]... (2xOMP) PASS
Testing: aix-ssha1, AIX LPA {ssha1} [PBKDF2-SHA1 512/512 AVX-512 16x]... (2xOMP) PASS
Testing: aix-ssha256, AIX LPA {ssha256} [PBKDF2-SHA256 512/512 AVX-512 16x]... (2xOMP) PASS
Testing: aix-ssha512, AIX LPA {ssha512} [PBKDF2-SHA512 512/512 AVX-512 8x]... (2xOMP) PASS
Testing: andOTP [SHA256 32/64]... (2xOMP) PASS
Testing: ansible, Ansible Vault [PBKDF2-SHA256 HMAC-256 512/512 AVX-512 16x]... (2xOMP) PASS
AddressSanitizer:DEADLYSIGNAL
=================================================================
==9476==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x56389dd0dd99 bp 0x7fffd3a14710 sp 0x7fffd3a14440 T0)
==9476==The signal is caused by a READ memory access.
==9476==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x56389dd0dd99 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
    #1 0x56389dd0dd99 in blake2b_long /home/runner/work/john/john/src/blake2b_plug.c:420
    #2 0x56389dce0c61 in argon2_fill_first_blocks /home/runner/work/john/john/src/argon2_core_plug.c:533
    #3 0x56389dce1e2a in argon2_initialize /home/runner/work/john/john/src/argon2_core_plug.c:652
    #4 0x56389dcef787 in argon2_ctx /home/runner/work/john/john/src/argon2_plug.c:82
    #5 0x56389dce3e61 in crypt_all._omp_fn.0 /home/runner/work/john/john/src/argon2_fmt_plug.c:343
    #6 0x7f36d0cd9976 in GOMP_parallel (/lib/x86_64-linux-gnu/libgomp.so.1+0x18976) (BuildId: be297f11b9b4baa3674f3d9e232b2a87b3abf6b2)
    #7 0x56389dce4328 in crypt_all /home/runner/work/john/john/src/argon2_fmt_plug.c:323
    #8 0x56389df50cba in is_key_right /home/runner/work/john/john/src/formats.c:594
    #9 0x56389df58dbb in fmt_self_test_body /home/runner/work/john/john/src/formats.c:1329
    #10 0x56389df59ed3 in fmt_self_test /home/runner/work/john/john/src/formats.c:2079
    #11 0x56389df33c2b in benchmark_all /home/runner/work/john/john/src/bench.c:883
    #12 0x56389df68364 in john_run /home/runner/work/john/john/src/john.c:1695
    #13 0x56389df68364 in main /home/runner/work/john/john/src/john.c:2117
    #14 0x7f36d0a2a1c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #15 0x7f36d0a2a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #16 0x56389da7f1c4 in _start (/home/runner/work/john/john/run/john+0x20c1c4) (BuildId: 18beebd341eb701e452fb3792d41b6bd1756f5c1)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29 in memcpy
==9476==ABORTING
make: *** [Makefile:1694: check] Error 1
Command exited with non-zero status 2
29.91user 1.08system 0:22.71elapsed 136%CPU (0avgtext+0avgdata 563988maxresident)k
8808inputs+345240outputs (32major+348048minor)pagefaults 0swaps
Testing: Argon2 [BlaMka 512/512 AVX512F]... (2xOMP) 

[solardiz]

I re-ran the asan job for this PR, and the same failure repeated. So it's probably a real issue we have that's reliably exposed by the newer environment, which has:

GNU C Library (Ubuntu GLIBC 2.39-0ubuntu8.6) stable release version 2.39.
gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0

[solardiz]

I wonder why we got this PR at all - I think we didn't opt in to these, did we?

Oh, actually we do have .github/dependabot.yml, maybe that's it.

[solardiz]

==9476==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x56389dd0dd99 bp 0x7fffd3a14710 sp 0x7fffd3a14440 T0)
==9476==The signal is caused by a READ memory access.
==9476==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x56389dd0dd99 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
    #1 0x56389dd0dd99 in blake2b_long /home/runner/work/john/john/src/blake2b_plug.c:420

I think this is a false positive (ASan bug). The code is:

        uint8_t out_buffer[BLAKE2B_OUTBYTES];
        uint8_t in_buffer[BLAKE2B_OUTBYTES];
        TRY(blake2b_init(&blake_state, BLAKE2B_OUTBYTES));
        TRY(blake2b_update(&blake_state, outlen_bytes, sizeof(outlen_bytes)));
        TRY(blake2b_update(&blake_state, in, inlen));
        TRY(blake2b_final(&blake_state, out_buffer, BLAKE2B_OUTBYTES));
        memcpy(out, out_buffer, BLAKE2B_OUTBYTES / 2);
        out += BLAKE2B_OUTBYTES / 2;
        toproduce = (uint32_t)outlen - BLAKE2B_OUTBYTES / 2;

        while (toproduce > BLAKE2B_OUTBYTES) {
            memcpy(in_buffer, out_buffer, BLAKE2B_OUTBYTES);

Line 420 is the last memcpy above. Both buffers are of the exact size passed to memcpy.

[solardiz]

I think this is a false positive (ASan bug).

... or maybe an over-read bug or deliberate safe over-read in the fortified memcpy. Either way, not our bug.

[solardiz]

I'm now testing changes like in this PR, but excluding "asan", in a push to my fork of the repo. If all CI jobs pass, I'll push the same to this repo.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.