build(deps): bump actions/checkout from 6 to 7 #550

coderabbitai · 2026-06-18T16:27:54Z

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Read-only verification: # 1) Confirm any remaining unpinned checkout references. # 2) Resolve the commit SHA behind v7 so it can be pinned explicitly. set -euo pipefail echo "== Unpinned checkout references ==" rg -nP 'uses:\s*actions/checkout@v[0-9]+' .github/workflows echo echo "== Resolve v7 tag to commit SHA (GitHub API) ==" curl -fsSL https://api.github.com/repos/actions/checkout/git/ref/tags/v7 | jq -r '.object.sha'

Repository: package-operator/boxcutter

Length of output: 361

🌐 Web query:

actions/checkout v7 commit SHA release tag github

💡 Result:

As of today, June 18, 2026, the actions/checkout action has released version v7.0.0 [1]. The v7.0.0 release introduces support for ECMAScript Modules (ESM) to accommodate newer versions of @actions/* packages and includes security-focused updates, such as blocking the checkout of fork pull requests in pull_request_target and workflow_run contexts [1][2]. The specific commit SHA for the v7.0.0 release tag is 9c091bb [1]. For your workflow configuration, you can use the v7 tag as follows: yaml - uses: actions/checkout@v7 While v7.0.0 is the latest major release, always refer to the official repository releases page for the most current information and changelogs [1].

Citations:

1: https://github.com/actions/checkout/releases

2: https://github.com/actions/checkout/

Pin actions/checkout to a commit SHA (not a mutable major tag).

Line 36 currently uses actions/checkout@v7, which is mutable and poses a supply-chain risk. The v7 tag corresponds to commit 9c091bb. Pin to this commit SHA to prevent supply-chain drift.

Note: Multiple workflow files have unpinned checkout references (also at testing.yaml:22).

Suggested change

- uses: actions/checkout@v7 + uses: actions/checkout@9c091bb

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

uses: actions/checkout@v7

uses: actions/checkout@9c091bb

🧰 Tools

🪛 zizmor (1.25.2)

[error] 36-36: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/codeql-analysis.yml at line 36, Replace the mutable major tag `v7` in the `actions/checkout` action with the specific commit SHA `9c091bb` to eliminate supply-chain risk. Change `uses: actions/checkout@v7` to `uses: actions/checkout@9c091bb`. Additionally, apply the same fix to the identical unpinned `actions/checkout` reference that exists in the testing.yaml workflow file to ensure consistency across all workflow files.

Source: Linters/SAST tools

coderabbitai · 2026-06-18T16:27:54Z

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and read it if [ -f .github/workflows/testing.yaml ]; then echo "=== File found. Reading content ===" cat -n .github/workflows/testing.yaml else echo "File not found" fi

Repository: package-operator/boxcutter

Length of output: 2054

🏁 Script executed:

# Also check for other workflow files to understand the pattern echo "=== Checking for other workflow files ===" fd -e yaml -e yml .github/workflows/

Repository: package-operator/boxcutter

Length of output: 508

🏁 Script executed:

# Check for other workflow files properly echo "=== Looking for other workflow files ===" fd . '.github/workflows/' --type f # Also check what other actions are used in this file to see pinning patterns echo "" echo "=== Other actions in testing.yaml ===" grep -n "uses:" .github/workflows/testing.yaml

Repository: package-operator/boxcutter

Length of output: 414

🌐 Web query:

GitHub Actions pinning commit SHA security best practice v7 mutable

💡 Result:

Pinning GitHub Actions to a full-length commit SHA (e.g., 40 characters) is a critical security best practice for supply chain hardening [1][2][3]. While version tags (like @v7) are convenient, they are mutable references in Git, meaning an action author—or an attacker who gains write access to that repository—can silently update the tag to point to a different, potentially malicious commit [2][4][5][6]. Key points regarding this security practice: Immutable References: Pinning to a full-length commit SHA ensures that the exact, verified code you expect is executed every time [2][7][3]. This protects against tag-retargeting attacks [8]. Policy Enforcement: GitHub now supports organization-level policies that allow administrators to mandate SHA pinning for all actions [1][9][2]. When enforced, workflows using mutable tags will fail, requiring developers to switch to SHA pins [9][2]. This policy typically checks the entire dependency tree, including internal sub-actions [2]. Maintenance Strategy: To maintain security without excessive manual effort, it is standard practice to pin the SHA while including the original version tag as a comment [10][4][6][11]. This format (e.g., uses: actions/checkout@11bd719... # v4.2.2) enables automated tools like Dependabot or Renovate to correctly identify and propose updates when new versions are released [7][10][4][11]. Best Practices: - Always pin third-party actions to full commit SHAs [1][11][3]. - Use automated dependency management tools to keep SHAs updated, but remain cautious of auto-merging updates without review [8][7][6]. - Consider implementing repository-level or organization-level policies to enforce SHA pinning [1][9][6]. - When writing custom actions, pin your own internal sub-action references to SHAs to ensure your consumers are protected when they adopt SHA-pinning policies [2].

Citations:

1: https://docs.github.com/en/actions/reference/security/secure-use

2: https://www.romainlespinasse.dev/posts/github-actions-commit-sha-pinning/

3: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide

4: CI/CD: all GitHub Actions pinned to mutable version tags, not commit SHAs — supply-chain risk for release artifacts router-for-me/CLIProxyAPI#3459

5: ci: Mitigate supply-chain risks by pinning mutable 3rd-party actions and enforcing least-privilege nektos/act#6041

6: https://safeguard.sh/resources/blog/github-actions-pinning-sha-vs-tag

7: https://nearform.com/insights/why-you-should-pin-your-github-actions-by-commit-hash/

8: https://emmer.dev/blog/pin-your-github-actions-to-protect-against-mutability/

9: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/

10: Pin third-party GitHub Actions to commit SHAs sveltejs/kit#15528

11: https://safeguard.sh/resources/blog/how-to-pin-github-actions-to-shas-correctly

Pin the checkout action to an exact commit SHA for supply chain security.

Line 22 uses actions/checkout@v7, which is a mutable version tag. This violates the principle of pinning actions to full-length commit SHAs to prevent tag-retargeting attacks. Pin this reference to the exact commit SHA of v7, including the version tag as a comment for maintainability.

Suggested change

- - name: Checkout - uses: actions/checkout@v7 + - name: Checkout + uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA> # v7

🧰 Tools

🪛 zizmor (1.25.2)

[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/testing.yaml at line 22, Replace the mutable version tag `v7` in the `actions/checkout` action reference with the full-length commit SHA of that version to prevent tag-retargeting attacks. Pin the checkout action to its exact commit SHA and include the v7 version tag as a comment within the uses line for future maintainability and clarity.

Source: Linters/SAST tools

-Original file line number
+Diff line change
@@ Expand Up / @@ -19,7 +19,7 @@ jobs: @@
         runs-on: ubuntu-latest
         steps:
         - name: Checkout
-          uses: actions/checkout@v6
+          uses: actions/checkout@v7
           with:
             fetch-depth: 0
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

build(deps): bump actions/checkout from 6 to 7 #550

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot Jun 18, 2026

Uh oh!

coderabbitai Bot Jun 18, 2026

Uh oh!

Uh oh!

build(deps): bump actions/checkout from 6 to 7 #550

Uh oh!

build(deps): bump actions/checkout from 6 to 7 #550

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot Jun 18, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Jun 18, 2026

Choose a reason for hiding this comment

Uh oh!