[Merged by Bors] - ci: bump actions/checkout to v7.0.0#41084
Closed
marcelolynch wants to merge 1 commit into
Closed
[Merged by Bors] - ci: bump actions/checkout to v7.0.0#41084marcelolynch wants to merge 1 commit into
marcelolynch wants to merge 1 commit into
Conversation
v7 refuses to check out fork PR code under pull_request_target/workflow_run unless allow-unsafe-pr-checkout is set. Set it on the five steps that intentionally check out fork PR code in those contexts. Each is already hardened — no persisted GITHUB_TOKEN, and the fork code is either built inside the landrun sandbox or run with only `contents: read`, while the trust-rooted tooling is loaded from the base-repo checkout: - .github/actions/setup-build-env/action.yml (build + test_lint jobs; landrun-sandboxed) - .github/workflows/build_template.yml (post_steps job; contents: read only) - .github/workflows/PR_summary.yml - .github/workflows/add_label_from_diff.yaml - .github/workflows/decls-diff.yml Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
PR summary ea114f5aa7Import changes for modified filesNo significant changes to the import graph Import changes for all files
|
github-actions
Bot
added
the
CI
Contributor
|
Thanks! |
mathlib-bors Bot
pushed a commit
that referenced
this pull request
Jun 26, 2026
Bumps `actions/checkout` to v7.0.0 across all workflows. v7 refuses to check out fork-PR code under `pull_request_target` / `workflow_run` unless `allow-unsafe-pr-checkout: true` is set. Five steps intentionally check out fork-PR code in those contexts. Each is already hardened, the fork code is either built inside the landrun sandbox or run with only `contents: read`, while trust-rooted tooling is loaded from the base-repo checkout. | File | Step | Checked-out ref | Trigger | |---|---|---|---| | `.github/actions/setup-build-env/action.yml` | Checkout PR branch | `inputs.pr_branch_ref` | build_fork (`pull_request_target`) | | `.github/workflows/build_template.yml` | `post_steps` checkout | `inputs.pr_branch_ref` | build_fork (`pull_request_target`) | | `.github/workflows/PR_summary.yml` | Checkout code | `github.event.pull_request.head.sha` | `pull_request_target` | | `.github/workflows/add_label_from_diff.yaml` | Checkout branch to label | `github.event.pull_request.head.sha \|\| github.sha` | `pull_request_target` | | `.github/workflows/decls-diff.yml` | Checkout new commit | `steps.meta.outputs.new-sha` | `workflow_run` | Reapplies #41055 (reverted in #41078) #41055 opted in the three workflow-file steps but missed the two on the fork-build path `setup-build-env`'s `Checkout PR branch` (used by the `build` and `test_lint` jobs) and `build_template.yml`'s `post_steps` checkout.
mathlib-bors
Bot
added
the
bors-staging
Contributor
|
Pull request successfully merged into master. Build succeeded: |
mathlib-bors
Bot
changed the title
marcelolynch
pushed a commit
to marcelolynch/mathlib4
that referenced
this pull request
Jun 26, 2026
- actions/attest-build-provenance: v4.1.0 -> v4.1.1 - actions/setup-python: v6.2.0 -> v6.3.0 - softprops/action-gh-release: v3.0.0 -> v3.0.1 - actions/cache: v5.0.5 -> v6.1.0 (ESM migration + read-only cache handling) - zulip/github-actions-zulip/send-message: v2.0.1 -> v2.0.2 - leanprover-community/privilege-escalation-bridge: v1.2.0 -> v1.3.0 - leanprover-community/gh-problem-matcher-wrap: pin to the node24 build (clears the Node 20 deprecation warning) - kim-em/github-actions-ensure-sha-pinned-actions: pin to v5.0.0 instead of a feature branch - dcarbone/install-jq-action: v3.2.0 -> v4.0.1 (default jq -> 1.8.2; mathlib's queries are unaffected) actions/checkout was already bumped to v7.0.0 on master (leanprover-community#41084). leanprover-community/lint-style-action is bumped separately. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
marcelolynch
pushed a commit
to marcelolynch/mathlib4
that referenced
this pull request
Jun 26, 2026
- actions/attest-build-provenance: v4.1.0 -> v4.1.1 - actions/setup-python: v6.2.0 -> v6.3.0 - softprops/action-gh-release: v3.0.0 -> v3.0.1 - actions/cache: v5.0.5 -> v6.1.0 (ESM migration + read-only cache handling) - zulip/github-actions-zulip/send-message: v2.0.1 -> v2.0.2 - leanprover-community/privilege-escalation-bridge: v1.2.0 -> v1.3.0 - leanprover-community/gh-problem-matcher-wrap: pin to the node24 build (clears the Node 20 deprecation warning) - kim-em/github-actions-ensure-sha-pinned-actions: pin to v5.0.0 instead of a feature branch - dcarbone/install-jq-action: v3.2.0 -> v4.0.1 (default jq -> 1.8.2; mathlib's queries are unaffected) actions/checkout was already bumped to v7.0.0 on master (leanprover-community#41084). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
marcelolynch
pushed a commit
to marcelolynch/mathlib4
that referenced
this pull request
Jun 26, 2026
- actions/attest-build-provenance: v4.1.0 -> v4.1.1 - actions/setup-python: v6.2.0 -> v6.3.0 - softprops/action-gh-release: v3.0.0 -> v3.0.1 - actions/cache: v5.0.5 -> v6.1.0 (ESM migration + read-only-token save fix; inputs unchanged) - zulip/github-actions-zulip/send-message: v2.0.1 -> v2.0.2 - leanprover-community/privilege-escalation-bridge: v1.2.0 -> v1.3.0 - leanprover-community/gh-problem-matcher-wrap: pin to the node24 build (clears the Node 20 deprecation warning) - dcarbone/install-jq-action: v3.2.0 -> v4.0.1 (default jq -> 1.8.2; mathlib's queries are unaffected) actions/checkout was already bumped to v7.0.0 on master (leanprover-community#41084). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps
actions/checkoutto v7.0.0 across all workflows.v7 refuses to check out fork-PR code under
pull_request_target/workflow_rununlessallow-unsafe-pr-checkout: trueis set. Five steps intentionally check out fork-PR code in those contexts. Each is already hardened, the fork code is either built inside the landrun sandbox or run with onlycontents: read, while trust-rooted tooling is loaded from the base-repo checkout..github/actions/setup-build-env/action.ymlinputs.pr_branch_refpull_request_target).github/workflows/build_template.ymlpost_stepscheckoutinputs.pr_branch_refpull_request_target).github/workflows/PR_summary.ymlgithub.event.pull_request.head.shapull_request_target.github/workflows/add_label_from_diff.yamlgithub.event.pull_request.head.sha || github.shapull_request_target.github/workflows/decls-diff.ymlsteps.meta.outputs.new-shaworkflow_runReapplies #41055 (reverted in #41078)
#41055 opted in the three workflow-file steps but missed the two on the fork-build path
setup-build-env'sCheckout PR branch(used by thebuildandtest_lintjobs) andbuild_template.yml'spost_stepscheckout.