Skip to content

build(deps): bump actions/checkout from 6 to 7#510

Merged
MatousJobanek merged 1 commit into
masterfrom
dependabot/github_actions/actions/checkout-7
Jun 22, 2026
Merged

build(deps): bump actions/checkout from 6 to 7#510
MatousJobanek merged 1 commit into
masterfrom
dependabot/github_actions/actions/checkout-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Bumps actions/checkout from 6 to 7.

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Updated GitHub Actions checkout step across CI/CD workflows to the latest version for improved compatibility and security.

@dependabot
build(deps): bump actions/checkout from 6 to 7
4609f4e 
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 19, 2026
@coderabbitai

coderabbitai Bot commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 55d79bab-ea38-4d93-9b6e-583eef34b66d

📥 Commits

Reviewing files that changed from the base of the PR and between c8f486b and 4609f4e.

📒 Files selected for processing (3)
  • .github/workflows/ci-build.yml
  • .github/workflows/govulncheck.yml
  • .github/workflows/verify-dependencies.yml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • codeready-toolchain/api (manual)
  • codeready-toolchain/toolchain-common (manual)
  • codeready-toolchain/host-operator (manual)
  • codeready-toolchain/toolchain-e2e (manual)
📜 Recent review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Verify Dependencies
🧰 Additional context used
🪛 zizmor (1.25.2)
.github/workflows/govulncheck.yml

[warning] 13-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/ci-build.yml

[warning] 17-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/verify-dependencies.yml

[warning] 13-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🔀 Multi-repo context codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e, codeready-toolchain/toolchain-common

Linked repositories findings

Based on my cross-repository exploration, I found important context about the actions/checkout version upgrade that affects multiple related repositories:

codeready-toolchain/host-operator

Critical workflows using pull_request_target with actions/checkout@v6:

  • .github/workflows/publish-components-for-e2e-tests.yml:24 — First checkout step runs on pull_request_target events
  • .github/workflows/publish-components-for-e2e-tests.yml:35 — Second checkout step for comment events also references pull request data

Other workflows still on v6:

  • .github/workflows/govulncheck.yml:13 — uses actions/checkout@v6
  • .github/workflows/test-with-coverage.yml — uses actions/checkout@v6
  • .github/workflows/operator-cd.yml — uses actions/checkout@v6
  • .github/workflows/ci-golang-sbom.yml — uses actions/checkout@v6 (twice)
  • .github/workflows/ci-check-gomod.yml — uses actions/checkout@v6
  • .github/workflows/publish-components-for-e2e-tests.yml — uses actions/checkout@v6 (twice)

[::codeready-toolchain/host-operator::]

codeready-toolchain/toolchain-e2e

Critical workflows using pull_request_target with actions/checkout@v6:

  • .github/workflows/publish-components-for-e2e-tests.yml:20 — Checkout step on pull_request_target event (with fork repository reference)
  • .github/workflows/publish-components-for-e2e-tests.yml:31 — Checkout step for issue comment events

Other workflows still on v6:

  • .github/workflows/ci-build.yml:10 — uses actions/checkout@v6 in golangci job
  • .github/workflows/ci-build.yml:21 — uses actions/checkout@v6 in unit-tests job
  • .github/workflows/govulncheck.yml — uses actions/checkout@v6
  • .github/workflows/ci-check-gomod.yml — uses actions/checkout@v6
  • .github/workflows/publish-components-for-e2e-tests.yml — uses actions/checkout@v6 (twice)

[::codeready-toolchain/toolchain-e2e::]

codeready-toolchain/toolchain-common

Workflows still on v6 (some being updated in this PR):

  • .github/workflows/govulncheck.yml — uses actions/checkout@v6 (being updated)
  • .github/workflows/verify-dependencies.yml — uses actions/checkout@v6 (being updated)
  • .github/workflows/test-with-coverage.yml — uses actions/checkout@v6
  • .github/workflows/linters.yml — uses actions/checkout@v6
  • .github/workflows/ci-check-gomod.yml — uses actions/checkout@v6

Workflow using workflow_run event:

  • .github/workflows/upload-coverage.yml — triggers on workflow_run event with actions/checkout@v6

[::codeready-toolchain/toolchain-common::]

Key Cross-Repo Impact

The PR's update from actions/checkout@v6 to @v7 introduces a breaking behavior change: v7 blocks checking out fork pull requests for pull_request_target and workflow_run events. The related repositories (host-operator and toolchain-e2e) have critical workflows (publish-components-for-e2e-tests.yml) that use pull_request_target with actions/checkout@v6 and explicitly reference fork repository data (${{github.event.pull_request.head.repo.full_name}}). These workflows will need coordinated updates across all three repositories to maintain consistent behavior.

🔇 Additional comments (4)
.github/workflows/ci-build.yml (2)

17-18: 💤 Low value

Action pinning: Consider pinning to commit SHA instead of version tag.

Static analysis flags that the action uses a version tag (@v7) rather than a commit SHA. While this is a common pattern, pinning to specific commit hashes provides stronger security guarantees against tag mutations.

17-18: The upgrade to actions/checkout@v7 is safe for this workflow. The ci-build.yml file uses only pull_request and push events, which are unaffected by v7's safety guardrails. The v7 breaking change only applies to pull_request_target and workflow_run events; neither is present in this workflow. Additionally, there are no fork repository checkout patterns in the file.

.github/workflows/govulncheck.yml (1)

13-14: No action needed — upgrade to actions/checkout@v7 is safe for this workflow.

This workflow triggers on pull_request events only. The breaking change in actions/checkout v7 (refusing to check out fork pull requests) applies only to pull_request_target and workflow_run events, not pull_request events. The upgrade is safe.

			> Likely an incorrect or invalid review comment.
.github/workflows/verify-dependencies.yml (1)

13-14: No breaking change risk from checkout@v7 upgrade for this workflow.

The verify-dependencies.yml workflow uses the pull_request event, which is safe for actions/checkout@v7. The breaking change (refusing fork checkout for pull_request_target and workflow_run events) does not affect this workflow's trigger configuration.

Walkthrough

Three GitHub Actions workflow files (ci-build.yml, govulncheck.yml, verify-dependencies.yml) are updated to use actions/checkout@v7 instead of actions/checkout@v6 in their respective "Checkout code" steps.

Changes

actions/checkout v6 → v7 upgrade

Layer / File(s) Summary
Bump actions/checkout to v7 in all workflows
.github/workflows/ci-build.yml, .github/workflows/govulncheck.yml, .github/workflows/verify-dependencies.yml		 The actions/checkout step is updated from v6 to v7 across all three CI workflow files.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested labels

ci

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description is missing required sections from the template: it lacks the main description, all checklist items, and related PR links. Add a description of the changes' goals and complete all required checklist items from the template, or note if items are not applicable (N/A).
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main change: updating the actions/checkout dependency from version 6 to 7 across three CI workflow files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/github_actions/actions/checkout-7

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot added the ci Add or update CI/CD configuration label Jun 19, 2026
@MatousJobanek MatousJobanek merged commit 920c974 into master Jun 22, 2026
5 of 6 checks passed
@dependabot dependabot Bot deleted the dependabot/github_actions/actions/checkout-7 branch June 22, 2026 14:04
@sonarqubecloud

sonarqubecloud Bot commented Jun 22, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MatousJobanek MatousJobanek MatousJobanek approved these changes

Assignees

No one assigned

Labels

ci Add or update CI/CD configuration dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MatousJobanek