build(deps): bump actions/checkout from 6 to 7#75
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
WalkthroughAll four GitHub Actions workflow files ( Changesactions/checkout v6 → v7 upgrade
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/cd.yml:
- Line 12: The actions/checkout action is unpinned (using v7 instead of a full
commit SHA) and persists credentials by default which presents a security risk.
Replace the unpinned version reference with a full commit SHA for
actions/checkout and add a with section that includes persist-credentials set to
false unless authenticated git operations are explicitly required by a later
step in the workflow.
In @.github/workflows/ci-check-gomod.yml:
- Line 15: Replace the tag-based reference in the checkout action from
`actions/checkout@v7` with a specific commit SHA reference for supply-chain
hardening. Additionally, add the `with` configuration parameter to disable
credential persistence by setting `persist-credentials: false` in the checkout
action to complete the security hardening requirements.
In @.github/workflows/ci.yml:
- Line 18: The actions/checkout action at lines 18, 52, and 68 is using
tag-based references (v7) instead of commit SHAs, which are less secure. Replace
each instance of actions/checkout@v7 with the full commit SHA for that version.
Additionally, add the parameter persist-credentials: false to each of these
checkout steps to prevent storing git credentials, unless those specific jobs
require authenticated git writes for later operations.
In @.github/workflows/govulncheck.yml:
- Line 14: The actions/checkout action at line 14 in the govulncheck workflow is
using a version tag (v7) instead of a pinned full commit SHA, which reduces
security hardening. Replace the version tag with a full commit SHA hash to
ensure the exact action version is used, and add the persist-credentials: false
parameter to the uses statement to disable token persistence and reduce
credential exposure risk.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 0665d6df-1507-4096-a3a4-4243872ef0c2
📒 Files selected for processing (4)
.github/workflows/cd.yml.github/workflows/ci-check-gomod.yml.github/workflows/ci.yml.github/workflows/govulncheck.yml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
codeready-toolchain/api(manual)codeready-toolchain/toolchain-common(manual)codeready-toolchain/host-operator(manual)codeready-toolchain/toolchain-e2e(manual)
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
- GitHub Check: govulncheck
- GitHub Check: Build Image
- GitHub Check: Test
- GitHub Check: Lint
🧰 Additional context used
🪛 zizmor (1.25.2)
.github/workflows/ci.yml
[warning] 17-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 51-52: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 52-52: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 67-68: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 68-68: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/cd.yml
[warning] 11-12: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/ci-check-gomod.yml
[warning] 14-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/govulncheck.yml
[warning] 13-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
Harden checkout action reference and disable persisted credentials.
At Line 12, actions/checkout@v7 is unpinned and also keeps credentials by default. Pin to a full commit SHA and set persist-credentials: false unless a later step explicitly needs authenticated git operations.
Suggested patch
- - name: Checkout code
- uses: actions/checkout@v7
+ - name: Checkout code
+ uses: actions/checkout@<full-length-commit-sha-for-v7>
+ with:
+ persist-credentials: false🧰 Tools
🪛 zizmor (1.25.2)
[warning] 11-12: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/cd.yml at line 12, The actions/checkout action is unpinned
(using v7 instead of a full commit SHA) and persists credentials by default
which presents a security risk. Replace the unpinned version reference with a
full commit SHA for actions/checkout and add a with section that includes
persist-credentials set to false unless authenticated git operations are
explicitly required by a later step in the workflow.
Source: Linters/SAST tools
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
Apply checkout supply-chain hardening in this workflow too.
At Line 15, switch from tag-based reference to a commit SHA and disable credential persistence for checkout.
Suggested patch
- - name: Checkout code
- uses: actions/checkout@v7
+ - name: Checkout code
+ uses: actions/checkout@<full-length-commit-sha-for-v7>
+ with:
+ persist-credentials: false🧰 Tools
🪛 zizmor (1.25.2)
[warning] 14-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci-check-gomod.yml at line 15, Replace the tag-based
reference in the checkout action from `actions/checkout@v7` with a specific
commit SHA reference for supply-chain hardening. Additionally, add the `with`
configuration parameter to disable credential persistence by setting
`persist-credentials: false` in the checkout action to complete the security
hardening requirements.
Source: Linters/SAST tools
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
All three checkout steps should be SHA-pinned and non-persistent for credentials.
At Lines 18, 52, and 68, replace tag-based checkout references with full commit SHAs and set persist-credentials: false unless those jobs need authenticated git writes later.
Suggested patch pattern
- - name: Checkout code
- uses: actions/checkout@v7
+ - name: Checkout code
+ uses: actions/checkout@<full-length-commit-sha-for-v7>
+ with:
+ persist-credentials: falseAlso applies to: 52-52, 68-68
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 17-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml at line 18, The actions/checkout action at lines
18, 52, and 68 is using tag-based references (v7) instead of commit SHAs, which
are less secure. Replace each instance of actions/checkout@v7 with the full
commit SHA for that version. Additionally, add the parameter
persist-credentials: false to each of these checkout steps to prevent storing
git credentials, unless those specific jobs require authenticated git writes for
later operations.
Source: Linters/SAST tools
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
Harden checkout in govulncheck workflow as well.
At Line 14, pin actions/checkout to a full commit SHA and set persist-credentials: false to reduce token exposure risk.
Suggested patch
- - name: Checkout code
- uses: actions/checkout@v7
+ - name: Checkout code
+ uses: actions/checkout@<full-length-commit-sha-for-v7>
+ with:
+ persist-credentials: false🧰 Tools
🪛 zizmor (1.25.2)
[warning] 13-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/govulncheck.yml at line 14, The actions/checkout action at
line 14 in the govulncheck workflow is using a version tag (v7) instead of a
pinned full commit SHA, which reduces security hardening. Replace the version
tag with a full commit SHA hash to ensure the exact action version is used, and
add the persist-credentials: false parameter to the uses statement to disable
token persistence and reduce credential exposure risk.
Source: Linters/SAST tools
Bumps actions/checkout from 6 to 7.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit