Skip to content

build(deps): bump actions/checkout from 6 to 7#75

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions/checkout-7
Open

build(deps): bump actions/checkout from 6 to 7#75
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 6 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Updated automation infrastructure by upgrading GitHub Actions dependencies to their latest stable versions across all continuous integration and continuous deployment workflows, enhancing security, reliability, and compatibility while maintaining existing build and deployment functionality.

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 18, 2026
@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown

Walkthrough

All four GitHub Actions workflow files (.github/workflows/cd.yml, ci-check-gomod.yml, ci.yml, and govulncheck.yml) update the actions/checkout step from @v6 to @v7. No other workflow logic, job steps, or inputs are changed.

Changes

actions/checkout v6 → v7 upgrade

Layer / File(s) Summary
Checkout action version bump in all workflows
.github/workflows/cd.yml, .github/workflows/ci-check-gomod.yml, .github/workflows/ci.yml, .github/workflows/govulncheck.yml
Six actions/checkout@v6 references across four workflow files are updated to actions/checkout@v7. Affected jobs: cd, go.mod-replacements, test, build-image, lint, and govulncheck.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

ci, security

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: upgrading actions/checkout from version 6 to 7 across all workflow files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/github_actions/actions/checkout-7

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot added ci Add or update CI/CD configuration security Security vulnerability labels Jun 18, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cd.yml:
- Line 12: The actions/checkout action is unpinned (using v7 instead of a full
commit SHA) and persists credentials by default which presents a security risk.
Replace the unpinned version reference with a full commit SHA for
actions/checkout and add a with section that includes persist-credentials set to
false unless authenticated git operations are explicitly required by a later
step in the workflow.

In @.github/workflows/ci-check-gomod.yml:
- Line 15: Replace the tag-based reference in the checkout action from
`actions/checkout@v7` with a specific commit SHA reference for supply-chain
hardening. Additionally, add the `with` configuration parameter to disable
credential persistence by setting `persist-credentials: false` in the checkout
action to complete the security hardening requirements.

In @.github/workflows/ci.yml:
- Line 18: The actions/checkout action at lines 18, 52, and 68 is using
tag-based references (v7) instead of commit SHAs, which are less secure. Replace
each instance of actions/checkout@v7 with the full commit SHA for that version.
Additionally, add the parameter persist-credentials: false to each of these
checkout steps to prevent storing git credentials, unless those specific jobs
require authenticated git writes for later operations.

In @.github/workflows/govulncheck.yml:
- Line 14: The actions/checkout action at line 14 in the govulncheck workflow is
using a version tag (v7) instead of a pinned full commit SHA, which reduces
security hardening. Replace the version tag with a full commit SHA hash to
ensure the exact action version is used, and add the persist-credentials: false
parameter to the uses statement to disable token persistence and reduce
credential exposure risk.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 0665d6df-1507-4096-a3a4-4243872ef0c2

📥 Commits

Reviewing files that changed from the base of the PR and between 9e576fc and 06168ea.

📒 Files selected for processing (4)
  • .github/workflows/cd.yml
  • .github/workflows/ci-check-gomod.yml
  • .github/workflows/ci.yml
  • .github/workflows/govulncheck.yml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • codeready-toolchain/api (manual)
  • codeready-toolchain/toolchain-common (manual)
  • codeready-toolchain/host-operator (manual)
  • codeready-toolchain/toolchain-e2e (manual)
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: govulncheck
  • GitHub Check: Build Image
  • GitHub Check: Test
  • GitHub Check: Lint
🧰 Additional context used
🪛 zizmor (1.25.2)
.github/workflows/ci.yml

[warning] 17-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 51-52: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 52-52: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 67-68: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 68-68: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/cd.yml

[warning] 11-12: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/ci-check-gomod.yml

[warning] 14-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/govulncheck.yml

[warning] 13-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

Comment thread .github/workflows/cd.yml
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden checkout action reference and disable persisted credentials.

At Line 12, actions/checkout@v7 is unpinned and also keeps credentials by default. Pin to a full commit SHA and set persist-credentials: false unless a later step explicitly needs authenticated git operations.

Suggested patch
-      - name: Checkout code
-        uses: actions/checkout@v7
+      - name: Checkout code
+        uses: actions/checkout@<full-length-commit-sha-for-v7>
+        with:
+          persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 11-12: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cd.yml at line 12, The actions/checkout action is unpinned
(using v7 instead of a full commit SHA) and persists credentials by default
which presents a security risk. Replace the unpinned version reference with a
full commit SHA for actions/checkout and add a with section that includes
persist-credentials set to false unless authenticated git operations are
explicitly required by a later step in the workflow.

Source: Linters/SAST tools

steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Apply checkout supply-chain hardening in this workflow too.

At Line 15, switch from tag-based reference to a commit SHA and disable credential persistence for checkout.

Suggested patch
-    - name: Checkout code
-      uses: actions/checkout@v7
+    - name: Checkout code
+      uses: actions/checkout@<full-length-commit-sha-for-v7>
+      with:
+        persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 14-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci-check-gomod.yml at line 15, Replace the tag-based
reference in the checkout action from `actions/checkout@v7` with a specific
commit SHA reference for supply-chain hardening. Additionally, add the `with`
configuration parameter to disable credential persistence by setting
`persist-credentials: false` in the checkout action to complete the security
hardening requirements.

Source: Linters/SAST tools

Comment thread .github/workflows/ci.yml
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

All three checkout steps should be SHA-pinned and non-persistent for credentials.

At Lines 18, 52, and 68, replace tag-based checkout references with full commit SHAs and set persist-credentials: false unless those jobs need authenticated git writes later.

Suggested patch pattern
-    - name: Checkout code
-      uses: actions/checkout@v7
+    - name: Checkout code
+      uses: actions/checkout@<full-length-commit-sha-for-v7>
+      with:
+        persist-credentials: false

Also applies to: 52-52, 68-68

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 17-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 18, The actions/checkout action at lines
18, 52, and 68 is using tag-based references (v7) instead of commit SHAs, which
are less secure. Replace each instance of actions/checkout@v7 with the full
commit SHA for that version. Additionally, add the parameter
persist-credentials: false to each of these checkout steps to prevent storing
git credentials, unless those specific jobs require authenticated git writes for
later operations.

Source: Linters/SAST tools

steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden checkout in govulncheck workflow as well.

At Line 14, pin actions/checkout to a full commit SHA and set persist-credentials: false to reduce token exposure risk.

Suggested patch
-    - name: Checkout code
-      uses: actions/checkout@v7
+    - name: Checkout code
+      uses: actions/checkout@<full-length-commit-sha-for-v7>
+      with:
+        persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 13-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/govulncheck.yml at line 14, The actions/checkout action at
line 14 in the govulncheck workflow is using a version tag (v7) instead of a
pinned full commit SHA, which reduces security hardening. Replace the version
tag with a full commit SHA hash to ensure the exact action version is used, and
add the persist-credentials: false parameter to the uses statement to disable
token persistence and reduce credential exposure risk.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci Add or update CI/CD configuration dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code security Security vulnerability

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants