Build(deps): Bump actions/checkout from 6 to 7#163
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
WalkthroughThree GitHub Actions workflow files are updated to replace Changesactions/checkout v6 → v7
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 11✅ Passed checks (11 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/check-commit-format.yml:
- Line 14: The actions/checkout action reference in the workflow file is
currently pinned to a tag (v7) instead of a full commit SHA, which creates a
security vulnerability. Replace the `uses: actions/checkout@v7` line with the
full commit SHA for v7.0.0 by changing the tag reference to the complete commit
hash of that version. This ensures the workflow uses an immutable reference and
prevents potential supply-chain attacks through tag reuse or unexpected updates.
In @.github/workflows/check-pull-request.yml:
- Line 41: Replace all GitHub action references in the check-pull-request.yml
workflow file from tag-based versions to full commit SHA pinning. The actions
that need to be updated are: actions/checkout@v7 (appears on lines 41 and 67),
actions/setup-go@v6 (appears on lines 43 and 69), actions/cache@v3 (line 47),
and golangci/golangci-lint-action@v6 (line 76). For each action, replace the tag
reference with the corresponding full commit SHA. For example, change
actions/checkout@v7 to actions/checkout@9c091bb (or the appropriate SHA for each
action's version). This ensures the workflow adheres to CI/CD security best
practices by using immutable commit references instead of mutable tags.
In @.github/workflows/publish-release.yml:
- Line 18: Replace the `actions/checkout@v7` reference with the full commit SHA
to enhance workflow security. Change the uses statement from
`actions/checkout@v7` to `uses:
actions/checkout@9c091bb1645e77d0186596160166d488e001999a` which corresponds to
version 7.0.0. This pins the action to a specific immutable commit instead of a
mutable version tag.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift-online/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 4e4241d3-b436-48cd-94d2-ccb69f9fa68c
📒 Files selected for processing (3)
.github/workflows/check-commit-format.yml.github/workflows/check-pull-request.yml.github/workflows/publish-release.yml
| steps: | ||
| - name: Checkout Code | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the commit SHA for actions/checkout v7.0.0?
💡 Result:
The commit SHA for actions/checkout v7.0.0 is 9c091bb [1]. While the release preparation pull request (#2464) was associated with commit ee538cb [2][3], the tag v7.0.0 points to 9c091bb [1].
Citations:
- 1: https://github.com/actions/checkout/releases
- 2: getting ready for checkout v7 release actions/checkout#2464
- 3: actions/checkout@ee538cb
🏁 Script executed:
cat -n .github/workflows/check-commit-format.ymlRepository: openshift-online/ocm-common
Length of output: 1339
🌐 Web query:
actions/checkout v7.0.0 commit SHA github releases
💡 Result:
The version v7.0.0 of the actions/checkout GitHub Action was officially released on June 18, 2026 [1]. The commit SHA for this release is 1044a6dea927916f2c38ba5aeffbc0a847b1221a [2][3]. Key updates in the v7.0.0 release include: - A security fix to block checking out fork pull requests for pull_request_target and workflow_run events [1][4]. - A transition of the module to ESM (ECMAScript modules) and an update of its dependencies [1][4]. - Various dependency bumps, including updates to address security vulnerabilities [1][2]. - Documentation and README updates to reflect the new major version [2]. You can verify these details directly on the official actions/checkout release page [1][5].
Citations:
- 1: https://github.com/actions/checkout/releases/tag/v7.0.0
- 2: getting ready for checkout v7 release actions/checkout#2464
- 3: actions/checkout@v6.0.3...v7.0.0
- 4: https://github.com/actions/checkout/blob/main/CHANGELOG.md
- 5: https://github.com/actions/checkout/releases
Pin the actions/checkout action to a full commit SHA instead of a tag.
The actions/checkout@v7 reference uses a tag instead of a full commit SHA. This violates the CI/CD security requirement to pin all actions by hash, preventing supply-chain attacks via tag reuse or unexpected updates.
Replace with the full SHA for v7.0.0:
Diff
- uses: actions/checkout@v7
+ uses: actions/checkout@1044a6dea927916f2c38ba5aeffbc0a847b1221a📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: actions/checkout@v7 | |
| uses: actions/checkout@1044a6dea927916f2c38ba5aeffbc0a847b1221a |
🧰 Tools
🪛 zizmor (1.25.2)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/check-commit-format.yml at line 14, The actions/checkout
action reference in the workflow file is currently pinned to a tag (v7) instead
of a full commit SHA, which creates a security vulnerability. Replace the `uses:
actions/checkout@v7` line with the full commit SHA for v7.0.0 by changing the
tag reference to the complete commit hash of that version. This ensures the
workflow uses an immutable reference and prevents potential supply-chain attacks
through tag reuse or unexpected updates.
Source: Coding guidelines
| steps: | ||
| - name: Checkout the source | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the commit SHA for actions/checkout v7.0.0?
💡 Result:
The commit SHA for actions/checkout version 7.0.0 is 9c091bb [1]. This version was released on June 18, 2026 [2].
Citations:
🏁 Script executed:
cat -n .github/workflows/check-pull-request.ymlRepository: openshift-online/ocm-common
Length of output: 2652
All GitHub actions in this workflow must be pinned to full commit SHAs, not tags.
The file contains six unpinned action references that violate the CI/CD security requirement:
- Line 41:
actions/checkout@v7 - Line 43:
actions/setup-go@v6 - Line 47:
actions/cache@v3 - Line 67:
actions/checkout@v7 - Line 69:
actions/setup-go@v6 - Line 76:
golangci/golangci-lint-action@v6
Replace all tag references with full commit SHAs. For example, actions/checkout@v7 should be pinned to actions/checkout@9c091bb (v7.0.0).
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 40-41: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 41-41: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/check-pull-request.yml at line 41, Replace all GitHub
action references in the check-pull-request.yml workflow file from tag-based
versions to full commit SHA pinning. The actions that need to be updated are:
actions/checkout@v7 (appears on lines 41 and 67), actions/setup-go@v6 (appears
on lines 43 and 69), actions/cache@v3 (line 47), and
golangci/golangci-lint-action@v6 (line 76). For each action, replace the tag
reference with the corresponding full commit SHA. For example, change
actions/checkout@v7 to actions/checkout@9c091bb (or the appropriate SHA for each
action's version). This ensures the workflow adheres to CI/CD security best
practices by using immutable commit references instead of mutable tags.
Source: Coding guidelines
| - | ||
| name: Checkout | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the commit SHA for actions/checkout v7.0.0?
💡 Result:
The commit SHA for actions/checkout v7.0.0 is 9c091bb1645e77d0186596160166d488e001999a [1]. It is associated with the release tag v7.0.0, which was published on June 18, 2026 [2][1].
Citations:
- 1: https://github.com/actions/checkout/releases
- 2: https://github.com/actions/checkout/releases/tag/v7.0.0
🏁 Script executed:
cat -n .github/workflows/publish-release.yml | head -30Repository: openshift-online/ocm-common
Length of output: 771
Pin actions/checkout to full commit SHA instead of tag.
The actions/checkout@v7 reference at line 18 uses a version tag instead of a full commit SHA. Replace with the commit SHA 9c091bb1645e77d0186596160166d488e001999a (v7.0.0):
uses: actions/checkout@9c091bb1645e77d0186596160166d488e001999a🧰 Tools
🪛 zizmor (1.25.2)
[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish-release.yml at line 18, Replace the
`actions/checkout@v7` reference with the full commit SHA to enhance workflow
security. Change the uses statement from `actions/checkout@v7` to `uses:
actions/checkout@9c091bb1645e77d0186596160166d488e001999a` which corresponds to
version 7.0.0. This pins the action to a specific immutable commit instead of a
mutable version tag.
Source: Coding guidelines
Bumps actions/checkout from 6 to 7.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit