-
Notifications
You must be signed in to change notification settings - Fork 41
Build(deps): Bump actions/checkout from 6 to 7 #163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -38,7 +38,7 @@ jobs: | |
| runs-on: ${{ matrix.platform }} | ||
| steps: | ||
| - name: Checkout the source | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🌐 Web query:
💡 Result: The commit SHA for actions/checkout version 7.0.0 is 9c091bb [1]. This version was released on June 18, 2026 [2]. Citations: 🏁 Script executed: cat -n .github/workflows/check-pull-request.ymlRepository: openshift-online/ocm-common Length of output: 2652 All GitHub actions in this workflow must be pinned to full commit SHAs, not tags. The file contains six unpinned action references that violate the CI/CD security requirement:
Replace all tag references with full commit SHAs. For example, 🧰 Tools🪛 zizmor (1.25.2)[warning] 40-41: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 41-41: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Coding guidelines |
||
| - name: Setup Go | ||
| uses: actions/setup-go@v6 | ||
| with: | ||
|
|
@@ -64,7 +64,7 @@ jobs: | |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout the source | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 | ||
| - name: Setup Go | ||
| uses: actions/setup-go@v6 | ||
| with: | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -15,7 +15,7 @@ jobs: | |
| steps: | ||
| - | ||
| name: Checkout | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🌐 Web query:
💡 Result: The commit SHA for actions/checkout v7.0.0 is 9c091bb1645e77d0186596160166d488e001999a [1]. It is associated with the release tag v7.0.0, which was published on June 18, 2026 [2][1]. Citations:
🏁 Script executed: cat -n .github/workflows/publish-release.yml | head -30Repository: openshift-online/ocm-common Length of output: 771 Pin actions/checkout to full commit SHA instead of tag. The uses: actions/checkout@9c091bb1645e77d0186596160166d488e001999a🧰 Tools🪛 zizmor (1.25.2)[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Coding guidelines |
||
| with: | ||
| fetch-depth: 0 | ||
| - | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🌐 Web query:
What is the commit SHA for actions/checkout v7.0.0?💡 Result:
The commit SHA for actions/checkout v7.0.0 is 9c091bb [1]. While the release preparation pull request (
#2464) was associated with commit ee538cb [2][3], the tag v7.0.0 points to 9c091bb [1].Citations:
🏁 Script executed:
Repository: openshift-online/ocm-common
Length of output: 1339
🌐 Web query:
actions/checkout v7.0.0 commit SHA github releases💡 Result:
The version v7.0.0 of the actions/checkout GitHub Action was officially released on June 18, 2026 [1]. The commit SHA for this release is 1044a6dea927916f2c38ba5aeffbc0a847b1221a [2][3]. Key updates in the v7.0.0 release include: - A security fix to block checking out fork pull requests for pull_request_target and workflow_run events [1][4]. - A transition of the module to ESM (ECMAScript modules) and an update of its dependencies [1][4]. - Various dependency bumps, including updates to address security vulnerabilities [1][2]. - Documentation and README updates to reflect the new major version [2]. You can verify these details directly on the official actions/checkout release page [1][5].
Citations:
Pin the
actions/checkoutaction to a full commit SHA instead of a tag.The
actions/checkout@v7reference uses a tag instead of a full commit SHA. This violates the CI/CD security requirement to pin all actions by hash, preventing supply-chain attacks via tag reuse or unexpected updates.Replace with the full SHA for v7.0.0:
Diff
📝 Committable suggestion
🧰 Tools
🪛 zizmor (1.25.2)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Source: Coding guidelines