Skip to content

Build(deps): Bump actions/checkout from 6 to 7#163

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7
Open

Build(deps): Bump actions/checkout from 6 to 7#163
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown

Bumps actions/checkout from 6 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Updated build and deployment infrastructure for improved pipeline stability and consistency.

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 22, 2026
@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Walkthrough

Three GitHub Actions workflow files are updated to replace actions/checkout@v6 with actions/checkout@v7. The change affects one step in check-commit-format.yml, two steps (test and golangci jobs) in check-pull-request.yml, and one step in publish-release.yml. No other workflow logic is modified.

Changes

actions/checkout v6 → v7

Layer / File(s) Summary
Checkout action version bump in all workflows
.github/workflows/check-commit-format.yml, .github/workflows/check-pull-request.yml, .github/workflows/publish-release.yml
All four actions/checkout references across the three workflow files are updated from @v6 to @v7.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and accurately summarizes the main change: bumping the actions/checkout dependency from version 6 to version 7 across multiple workflow files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
No-Weak-Crypto ✅ Passed PR only updates GitHub Actions workflow configuration files with no cryptographic code, weak crypto patterns, or security-sensitive code modifications.
Container-Privileges ✅ Passed PR contains only GitHub Actions workflow files, not container/K8s manifests. Check for privileged container configurations is not applicable.
No-Sensitive-Data-In-Logs ✅ Passed PR contains only version bumps of actions/checkout with no new logging statements or sensitive data exposure in logs; existing secrets are correctly handled via GitHub secrets mechanism.
No-Hardcoded-Secrets ✅ Passed No hardcoded secrets found in the modified workflow files. Only proper GitHub Actions secret reference used (${{ secrets.GITHUB_TOKEN }}).
No-Injection-Vectors ✅ Passed PR only updates GitHub Actions versions in YAML workflow files with no source code changes containing SQL injection, command injection, unsafe eval/exec, pickle, yaml.load, os.system, or dangerousl...
Ai-Attribution ✅ Passed PR is a standard Dependabot dependency bump with no AI tool usage. No AI attribution is needed or expected.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/github_actions/actions/checkout-7

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/check-commit-format.yml:
- Line 14: The actions/checkout action reference in the workflow file is
currently pinned to a tag (v7) instead of a full commit SHA, which creates a
security vulnerability. Replace the `uses: actions/checkout@v7` line with the
full commit SHA for v7.0.0 by changing the tag reference to the complete commit
hash of that version. This ensures the workflow uses an immutable reference and
prevents potential supply-chain attacks through tag reuse or unexpected updates.

In @.github/workflows/check-pull-request.yml:
- Line 41: Replace all GitHub action references in the check-pull-request.yml
workflow file from tag-based versions to full commit SHA pinning. The actions
that need to be updated are: actions/checkout@v7 (appears on lines 41 and 67),
actions/setup-go@v6 (appears on lines 43 and 69), actions/cache@v3 (line 47),
and golangci/golangci-lint-action@v6 (line 76). For each action, replace the tag
reference with the corresponding full commit SHA. For example, change
actions/checkout@v7 to actions/checkout@9c091bb (or the appropriate SHA for each
action's version). This ensures the workflow adheres to CI/CD security best
practices by using immutable commit references instead of mutable tags.

In @.github/workflows/publish-release.yml:
- Line 18: Replace the `actions/checkout@v7` reference with the full commit SHA
to enhance workflow security. Change the uses statement from
`actions/checkout@v7` to `uses:
actions/checkout@9c091bb1645e77d0186596160166d488e001999a` which corresponds to
version 7.0.0. This pins the action to a specific immutable commit instead of a
mutable version tag.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift-online/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4e4241d3-b436-48cd-94d2-ccb69f9fa68c

📥 Commits

Reviewing files that changed from the base of the PR and between 959e57b and 6f697f3.

📒 Files selected for processing (3)
  • .github/workflows/check-commit-format.yml
  • .github/workflows/check-pull-request.yml
  • .github/workflows/publish-release.yml

steps:
- name: Checkout Code
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What is the commit SHA for actions/checkout v7.0.0?

💡 Result:

The commit SHA for actions/checkout v7.0.0 is 9c091bb [1]. While the release preparation pull request (#2464) was associated with commit ee538cb [2][3], the tag v7.0.0 points to 9c091bb [1].

Citations:


🏁 Script executed:

cat -n .github/workflows/check-commit-format.yml

Repository: openshift-online/ocm-common

Length of output: 1339


🌐 Web query:

actions/checkout v7.0.0 commit SHA github releases

💡 Result:

The version v7.0.0 of the actions/checkout GitHub Action was officially released on June 18, 2026 [1]. The commit SHA for this release is 1044a6dea927916f2c38ba5aeffbc0a847b1221a [2][3]. Key updates in the v7.0.0 release include: - A security fix to block checking out fork pull requests for pull_request_target and workflow_run events [1][4]. - A transition of the module to ESM (ECMAScript modules) and an update of its dependencies [1][4]. - Various dependency bumps, including updates to address security vulnerabilities [1][2]. - Documentation and README updates to reflect the new major version [2]. You can verify these details directly on the official actions/checkout release page [1][5].

Citations:


Pin the actions/checkout action to a full commit SHA instead of a tag.

The actions/checkout@v7 reference uses a tag instead of a full commit SHA. This violates the CI/CD security requirement to pin all actions by hash, preventing supply-chain attacks via tag reuse or unexpected updates.

Replace with the full SHA for v7.0.0:

Diff
- uses: actions/checkout@v7
+ uses: actions/checkout@1044a6dea927916f2c38ba5aeffbc0a847b1221a
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/checkout@v7
uses: actions/checkout@1044a6dea927916f2c38ba5aeffbc0a847b1221a
🧰 Tools
🪛 zizmor (1.25.2)

[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/check-commit-format.yml at line 14, The actions/checkout
action reference in the workflow file is currently pinned to a tag (v7) instead
of a full commit SHA, which creates a security vulnerability. Replace the `uses:
actions/checkout@v7` line with the full commit SHA for v7.0.0 by changing the
tag reference to the complete commit hash of that version. This ensures the
workflow uses an immutable reference and prevents potential supply-chain attacks
through tag reuse or unexpected updates.

Source: Coding guidelines

steps:
- name: Checkout the source
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What is the commit SHA for actions/checkout v7.0.0?

💡 Result:

The commit SHA for actions/checkout version 7.0.0 is 9c091bb [1]. This version was released on June 18, 2026 [2].

Citations:


🏁 Script executed:

cat -n .github/workflows/check-pull-request.yml

Repository: openshift-online/ocm-common

Length of output: 2652


All GitHub actions in this workflow must be pinned to full commit SHAs, not tags.

The file contains six unpinned action references that violate the CI/CD security requirement:

  • Line 41: actions/checkout@v7
  • Line 43: actions/setup-go@v6
  • Line 47: actions/cache@v3
  • Line 67: actions/checkout@v7
  • Line 69: actions/setup-go@v6
  • Line 76: golangci/golangci-lint-action@v6

Replace all tag references with full commit SHAs. For example, actions/checkout@v7 should be pinned to actions/checkout@9c091bb (v7.0.0).

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 40-41: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 41-41: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/check-pull-request.yml at line 41, Replace all GitHub
action references in the check-pull-request.yml workflow file from tag-based
versions to full commit SHA pinning. The actions that need to be updated are:
actions/checkout@v7 (appears on lines 41 and 67), actions/setup-go@v6 (appears
on lines 43 and 69), actions/cache@v3 (line 47), and
golangci/golangci-lint-action@v6 (line 76). For each action, replace the tag
reference with the corresponding full commit SHA. For example, change
actions/checkout@v7 to actions/checkout@9c091bb (or the appropriate SHA for each
action's version). This ensures the workflow adheres to CI/CD security best
practices by using immutable commit references instead of mutable tags.

Source: Coding guidelines

-
name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What is the commit SHA for actions/checkout v7.0.0?

💡 Result:

The commit SHA for actions/checkout v7.0.0 is 9c091bb1645e77d0186596160166d488e001999a [1]. It is associated with the release tag v7.0.0, which was published on June 18, 2026 [2][1].

Citations:


🏁 Script executed:

cat -n .github/workflows/publish-release.yml | head -30

Repository: openshift-online/ocm-common

Length of output: 771


Pin actions/checkout to full commit SHA instead of tag.

The actions/checkout@v7 reference at line 18 uses a version tag instead of a full commit SHA. Replace with the commit SHA 9c091bb1645e77d0186596160166d488e001999a (v7.0.0):

uses: actions/checkout@9c091bb1645e77d0186596160166d488e001999a
🧰 Tools
🪛 zizmor (1.25.2)

[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-release.yml at line 18, Replace the
`actions/checkout@v7` reference with the full commit SHA to enhance workflow
security. Change the uses statement from `actions/checkout@v7` to `uses:
actions/checkout@9c091bb1645e77d0186596160166d488e001999a` which corresponds to
version 7.0.0. This pins the action to a specific immutable commit instead of a
mutable version tag.

Source: Coding guidelines

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants