ci: bump actions/checkout from 6 to 7#345
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![sovri[bot]](https://avatars.githubusercontent.com/in/3905700?s=60&v=4){kind=small}
There was a problem hiding this comment.
❌ Request changes
1 finding — 1 major
Review assessment
Effort: ●●●●● 5/5
Metrics: 1 finding · 1 file touched · 1 blocker plus major finding
Severity distribution:
Total: 1 finding
Bar: █
- 🔴 major: 1 finding
TL;DR
The pull request updates the actions/checkout dependency from version 6 to 7 across multiple GitHub Actions workflows. This upgrade introduces breaking changes, including blocking checkout of fork PRs for pull_request_target and workflow_run events, which may impact workflows relying on forked repositories. No code logic changes were made beyond the version bump.
Findings
| Severity | Location | Title | Details |
|---|---|---|---|
| 🔴 | .github/workflows/ci.yml:20 | Fork PR checkout blocked for pull_request_target and workflow_run events |
The upgrade to actions/checkout@v7 introduces a breaking change that blocks checking out fork PRs for pull_request_target and workflow_run events. If this workflow relies on forked repositories for these events, it will fail, disrupting CI/CD pipelines. |
File-by-file
.github/workflows/ci.yml
1 finding
- .github/workflows/ci.yml:20 Fork PR checkout blocked for
pull_request_targetandworkflow_runevents
Compliance & provenance
Compliance & audit
Model: mistral / mistral-large-latest
Prompt sha256: 891fdeb2ca3a171e373fbfe4fadb07fd43be7314fe99f28c3652a312de298b67
No signed audit trail is attached
Fork PR checkout blocked for pull_request_target and workflow_run events — .github/workflows/ci.yml:20
🔍 Audit Reference: SOVRI-SC-C33B-35F3
Tokens: 8831 in / 1340 out · Estimated cost: $0.0064 (mistral mistral-large-latest)
|
|
||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
🔴 🔒 Security
Fork PR checkout blocked for pull_request_target and workflow_run events
Problem: The upgrade to actions/checkout@v7 introduces a breaking change that blocks checking out fork PRs for pull_request_target and workflow_run events. If this workflow relies on forked repositories for these events, it will fail, disrupting CI/CD pipelines.
Fix: Review the workflow to determine if it processes PRs from forks using pull_request_target or workflow_run. If so, either adjust the workflow logic to avoid relying on forked PRs or pin to actions/checkout@v6 until the workflow can be updated to accommodate the new behavior.
🔍 Audit Reference: SOVRI-SC-C33B-35F3
Merging this PR will improve performance by 28.12%
|
| Benchmark | BASE |
HEAD |
Efficiency | |
|---|---|---|---|---|
| ⚡ | insert[100] |
16.4 µs | 11.1 µs | +48% |
| ⚡ | insert[1000] |
11 µs | 9.9 µs | +10.91% |
Tip
Curious why this is faster? Comment @codspeedbot explain why this is faster on this PR, or directly use the CodSpeed MCP with your agent.
Comparing dependabot/github_actions/actions/checkout-7 (ae59be3) with main (bf6a128)
Bumps actions/checkout from 6 to 7.
Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by cubic
Upgrade all GitHub Actions workflows to
actions/checkout@v7for security updates and upstream behavior changes. Note: v7 blocks checking out fork PRs forpull_request_targetandworkflow_run.Dependencies
actions/checkoutfrom v6 to v7 inci.yml,coverage.yml,codspeed.yml,fuzz.yml,pages.yml,profile.yml, andrelease.yml.Migration
pull_request_targetorworkflow_run, switch topull_requestor adjust the strategy/permissions accordingly.Written for commit ae59be3. Summary will update on new commits.