Skip to content

chore(deps): Bump actions/checkout from 6 to 7#262

Merged
finallyjay merged 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7
Jun 25, 2026
Merged

chore(deps): Bump actions/checkout from 6 to 7#262
finallyjay merged 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 6 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 23, 2026
@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Updated continuous integration workflow to use the latest version of the checkout action.

Walkthrough

The CI workflow file is updated to use actions/checkout@v7 instead of actions/checkout@v6 on the checkout step. No other workflow steps or configuration are modified.

Changes

CI Checkout Action Upgrade

Layer / File(s) Summary
Upgrade actions/checkout from v6 to v7
.github/workflows/ci.yml
The checkout step version is bumped from actions/checkout@v6 to actions/checkout@v7.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

Possibly related PRs

  • finallyjay/steam-backlog-hunter#249: Also bumps a GitHub Actions version in the same CI workflow file (pnpm/action-setup@v5→v6), making it a directly related workflow-dependency update.

Poem

🐇 A checkout of six is now seven, hooray,
One line in the workflow, a bright CI day!
The rabbit hops forth with a version so new,
No backlog of bugs, just a fresh morning dew.
squeak

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is incomplete relative to the template. It lacks a structured summary section explaining the why, is missing test plan checkboxes, and does not include a related issues section. Add a structured Summary section with 1-3 bullets explaining why the upgrade is beneficial, complete the Test plan section with test steps, and include a Related issues section with any relevant issue numbers.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: bumping actions/checkout from version 6 to version 7, which is the primary focus of this pull request.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/github_actions/actions/checkout-7

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
.github/workflows/ci.yml (2)

16-16: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Action version is not pinned to a commit hash—consider pinning for security.

Using actions/checkout@v7 pins to a major version tag, but does not prevent tag reassignment or unexpected behavior. Many security policies recommend pinning to a specific commit hash (e.g., actions/checkout@a7e2eabaae5d51aa524064699f56900e0f8c70f4).

If your organization or project has a policy requiring hash pinning, this upgrade provides an opportunity to address it. If v6 was also unpinned, consider treating both together.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 16, The `actions/checkout@v7` action
reference uses a major version tag instead of being pinned to a specific commit
hash, which could allow for unexpected changes if the tag is reassigned. Replace
the version tag reference with a full commit hash (for example,
`a7e2eabaae5d51aa524064699f56900e0f8c70f4`) to ensure the exact version of the
action is always used and to improve security and reproducibility of the
workflow.

Source: Linters/SAST tools


15-16: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider setting persist-credentials: false if credentials are not needed downstream.

By default, actions/checkout@v7 persists Git credentials in the environment. If this workflow does not require Git authentication for downstream steps (e.g., for subsequent git commands or private dependencies), explicitly setting persist-credentials: false reduces the attack surface and follows the principle of least privilege.

Review the workflow steps (lint, test, build) to determine if Git credentials are necessary. If not, add the configuration:

- name: Checkout
  uses: actions/checkout@v7
  with:
    persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 15 - 16, The Checkout step uses
actions/checkout@v7 which persists Git credentials by default, increasing the
attack surface unnecessarily. Review all downstream steps in the workflow (lint,
test, build) to determine if any require Git authentication for private
repositories or subsequent git commands. If Git credentials are not needed
downstream, add a with section to the Checkout step that includes
persist-credentials: false to reduce the security footprint and follow the
principle of least privilege.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/ci.yml:
- Line 16: The `actions/checkout@v7` action reference uses a major version tag
instead of being pinned to a specific commit hash, which could allow for
unexpected changes if the tag is reassigned. Replace the version tag reference
with a full commit hash (for example,
`a7e2eabaae5d51aa524064699f56900e0f8c70f4`) to ensure the exact version of the
action is always used and to improve security and reproducibility of the
workflow.
- Around line 15-16: The Checkout step uses actions/checkout@v7 which persists
Git credentials by default, increasing the attack surface unnecessarily. Review
all downstream steps in the workflow (lint, test, build) to determine if any
require Git authentication for private repositories or subsequent git commands.
If Git credentials are not needed downstream, add a with section to the Checkout
step that includes persist-credentials: false to reduce the security footprint
and follow the principle of least privilege.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 400a4b00-4ecc-4978-8ba7-257047d27021

📥 Commits

Reviewing files that changed from the base of the PR and between 615d1e6 and a74a801.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
📜 Review details
⏰ Context from checks skipped due to timeout. (1)
  • GitHub Check: quality
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/ci.yml

[warning] 15-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🔇 Additional comments (1)
.github/workflows/ci.yml (1)

16-16: No breaking changes from v7 upgrade to actions/checkout.

Tooling compatibility is confirmed—pnpm/action-setup@v6 and actions/setup-node@v6 are fully compatible with actions/checkout@v7. The v7 security change for fork PRs (which blocks checkout under pull_request_target and workflow_run events) does not apply here since the workflow triggers on push and pull_request events, not the restricted event types.

@finallyjay finallyjay merged commit 67b2e15 into main Jun 25, 2026
3 checks passed
@finallyjay finallyjay deleted the dependabot/github_actions/actions/checkout-7 branch June 25, 2026 15:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant