Skip to content

chore(deps): update actions/checkout action to v7#203

Open
open-turo-bot wants to merge 1 commit into
mainfrom
c/renovate_actions-checkout-7.x
Open

chore(deps): update actions/checkout action to v7#203
open-turo-bot wants to merge 1 commit into
mainfrom
c/renovate_actions-checkout-7.x

Conversation

@open-turo-bot

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/checkout action major v6 -> v7

Release Notes

actions/checkout (actions/checkout)

v7

Compare Source


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@open-turo-bot open-turo-bot requested a review from a team as a code owner June 19, 2026 01:25
@github-actions

Copy link
Copy Markdown

Release notes preview

No new release will be created.

If you are expecting a release, you will need to either fix a bug or add a feature.
Chores, CI, docs, refactoring, style and other changes will not trigger a release.

@open-turo-bot open-turo-bot force-pushed the c/renovate_actions-checkout-7.x branch 2 times, most recently from 325a481 to 4b21806 Compare June 29, 2026 01:16
@open-turo-bot open-turo-bot force-pushed the c/renovate_actions-checkout-7.x branch from 4b21806 to 1a92539 Compare July 4, 2026 03:51
Comment thread release/action.yaml
steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

actions/checkout@v7 uses a movable tag, so a repointed tag could make this workflow run attacker-controlled code.

More details about this

actions/checkout is referenced as @v7, which is a movable tag, not a fixed commit. If the owner of actions/checkout or anyone who compromises that repository repoints v7 to a different commit, this Checkout step will run that new code the next time this workflow executes.

A plausible attack is: 1) an attacker gains control of the actions/checkout repository or its release process and moves the v7 tag to a malicious commit; 2) this workflow reaches the Checkout step and downloads that attacker-controlled code because it uses actions/checkout@v7; 3) the malicious action runs before later steps such as Build and Release, so it can read values passed through the workflow like ${{ inputs.npm-auth-token }}, ${{ inputs.npm-token }}, or other repository-scoped secrets available to the job; 4) it can then exfiltrate those credentials over the network or modify the checked-out repository contents to affect what the later open-turo/actions-node/build@v7 and open-turo/actions-release/semantic-release@v5 steps operate on.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
uses: actions/checkout@v7
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
View step-by-step instructions
  1. Replace the mutable action reference with a full 40-character commit SHA instead of the version tag.
    Change uses: actions/checkout@v7 to uses: actions/checkout@<full-commit-sha>.

  2. Get the SHA for the exact action version you want to keep using.
    Open the actions/checkout release for the version you intend to use, find the commit behind that release, and copy the full 40-character SHA.

  3. Keep the version in a comment so future updates are easier to manage.
    For example, use uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0.

  4. Repeat the same pinning pattern for any other third-party uses: entries in this workflow or composite action that currently use a tag or branch.
    GitHub resolves uses: by ref, and only a full commit SHA prevents the referenced code from changing silently.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

You can view more details about this finding in the Semgrep AppSec Platform.

Comment thread prerelease/action.yaml
echo "sha=$sha" >> $GITHUB_OUTPUT

- uses: actions/checkout@v6
- uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

actions/checkout@v7 uses a movable tag, so if v7 is repointed, this workflow can run attacker-controlled action code.

More details about this

actions/checkout is referenced with the mutable tag @v7 in - uses: actions/checkout@v7. Because this workflow later checks out ${{ steps.source-vars.outputs.branch }} from push, repository_dispatch, or pull request events, anyone who can repoint what v7 resolves to can change the code that runs before your repository is checked out.

A plausible attack looks like this:

  1. An attacker compromises the actions/checkout release process or gains permission to move the v7 tag.
  2. They repoint v7 to a new commit that adds malicious logic to the checkout action.
  3. Your workflow runs uses: actions/checkout@v7, so GitHub fetches the attacker's new action code instead of the version you previously reviewed.
  4. That action runs in this job with access to workflow data such as ${{ github.sha }}, ${{ github.ref_name }}, and any job token or secrets available to the checkout step.
  5. The malicious action can then exfiltrate the repository contents being checked out from ref: ${{ steps.source-vars.outputs.branch }}, read CI credentials, or push back changes using the job's token.

Because v7 is only a tag name, this change can happen silently without any diff in your repository.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
- uses: actions/checkout@v7
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # actions/checkout v4
View step-by-step instructions
  1. Replace the mutable action reference actions/checkout@v7 with a full 40-character commit SHA for the exact release you want to trust, for example actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
  2. Get the correct SHA from the actions/checkout release or repository page, and copy the commit hash that corresponds to the version you intended to use. Do not use a tag like @v7, @v4, or a branch name.
  3. Update the workflow step so only the uses: value changes, while keeping the existing with: settings such as fetch-depth and ref.
  4. If this checkout is supposed to use the exact commit selected earlier in the workflow, change ref: ${{ steps.source-vars.outputs.branch }} to ref: ${{ steps.source-vars.outputs.sha }}. This avoids checking out a branch name that can move to a different commit after the workflow starts.

Alternatively, if you must stay aligned with an upstream release process, pin to the release commit SHA and add a comment beside it noting the human-friendly version, such as uses: actions/checkout@<full-sha> # actions/checkout v4.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

You can view more details about this finding in the Semgrep AppSec Platform.

steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

actions/checkout@v7 uses a mutable tag, so a retagged release could silently run attacker-controlled code in the Checkout step.

More details about this

The Checkout step runs actions/checkout@v7, which is a movable tag instead of a fixed commit. If the owner of actions/checkout ever repoints v7 to a different commit, this workflow will start running that new code automatically before later steps use ${{ github.token }}, read the repository, and restore caches.

A plausible attack looks like this:

  1. An attacker compromises the actions/checkout release process or gains permission to retag v7.
  2. They move v7 to a commit that adds malicious code to the action.
  3. When this composite action reaches the Checkout step, GitHub pulls and runs the attacker-controlled actions/checkout@v7 code.
  4. That code can use the available ${{ github.token }} and the checked-out repository contents, then exfiltrate source code or modify what later steps like open-turo/action-setup-tools@v3 and dependency installation operate on.
  5. Because the workflow still says @v7, the change can happen silently without any diff in this repository.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
uses: actions/checkout@v7
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
View step-by-step instructions
  1. Replace the mutable ref actions/checkout@v7 with a full 40-character commit SHA for the exact action version you want to trust, for example uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
  2. Get the correct SHA from the actions/checkout release you intend to use by opening the v7 release or tag in GitHub and copying the full commit hash behind that ref.
  3. Update the workflow step to use only the pinned SHA in the uses: value, not the tag and SHA together. This prevents the action from changing if the tag is later moved.
  4. Repeat the same fix for the other third-party actions in this file, such as open-turo/action-setup-tools@v3, andstor/file-existence-action@v3, and everpcpc/actions-cache@v3, by replacing each tag with its full commit SHA.
  5. Manually verify that the workflow still uses the expected action versions by checking each pinned SHA resolves to the intended repository and release page on GitHub.
💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

You can view more details about this finding in the Semgrep AppSec Platform.

steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

actions/checkout@v7 uses a movable tag, so if v7 is repointed this workflow could run attacker-controlled code without any change in this repo.

More details about this

actions/checkout@v7 is pulled by a mutable tag instead of a fixed commit. If the owner of actions/checkout or anyone who compromises that repository repoints v7, this Update dependencies workflow will run different code the next time the scheduled job, workflow_dispatch, issue_comment, or pull_request event triggers.

A plausible attack looks like this:

  1. An attacker gains control of the actions/checkout repository, or of whatever account can move the v7 tag.
  2. They repoint v7 to a malicious commit that still looks like a normal checkout action.
  3. Your Checkout step runs uses: actions/checkout@v7, so GitHub fetches the attacker-controlled code automatically.
  4. That code executes in this job before open-turo/action-renovate@v1, giving it access to the job workspace and any data available to the workflow, including ${{ secrets.OPEN_TURO_GITHUB_TOKEN }} if later steps expose it through the environment or Git operations.
  5. The malicious action can then modify checked-out files, exfiltrate repository contents, or make authenticated API calls as this workflow run.

Because v7 can be changed silently without any workflow file diff in this repository, reviewers would not see the attack here before the next run executes it.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
uses: actions/checkout@v7
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
View step-by-step instructions
  1. Replace the mutable ref in the workflow step with a full 40-character commit SHA for the exact actions/checkout release you want to use.
    Change uses: actions/checkout@v7 to uses: actions/checkout@<full-40-character-commit-sha>.

  2. Get the correct SHA from the actions/checkout release you intend to keep using.
    Open the v7 release page for actions/checkout, copy the commit SHA for that release, and use the full value instead of the tag.

  3. Keep the action version readable by adding a comment next to the pinned SHA if needed.
    For example: uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0.

  4. Update Dependabot or Renovate configuration, if you use one, so pinned GitHub Action SHAs continue to get bumped automatically.
    This keeps the workflow secure without switching back to mutable tags.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

You can view more details about this finding in the Semgrep AppSec Platform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants